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About Qualys 
About this guide 


About this guide 


Welcome to Qualys App for Splunk Enterprise with TA! This user guide describes how to 
install and use the Qualys Technology Add-on (TA) to see your Qualys data in Splunk. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please 
visit www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/ 

Want to contact support 


Go to the support portal www.qualys.com/support/ and open a ticket with the following 
information: 


- Qualys TA version 
- Visualization App version related to the issue, if any 


- Complete TA and Splunk log for the time duration you had the issue 


Pre-requisites 
Get Started 


Get Started 


Qualys App for Splunk Enterprise pulls (via the TA-QualysCloudPlatform) vulnerability 
and compliance detection data from your Qualys account and puts it in Splunk for easier 
searching and reporting. 


The app uses Splunk’s App Development framework and leverages existing Qualys APIs. 


Qualys App for Splunk Enterprise solution 
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- A valid Qualys account with API access 
- A Splunk Enterprise/Cloud account 


- Computer with Linux 


Download and Install the App 
Download the latest version of Qualys Technology Add-on (TA) for Splunk by going to: 
https://splunkbase.splunk.com/app/2964/ 


Download and Install the App 
Get Started 


Upload the downloaded tar.gz file using the “Install app from file” option. 


Apps Click here to upload 
PP . and install the app 
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Se Eee Install app from file  }Create app 


Showing 1-17 of 17 items 


Name > 


Folder name + 
SplunkForwarder SplunkForwarder 
SplunkLightForwarder SplunkLightForwarder 


Browse to the file and click Upload. 


Upload app 


Apps » Upload app 


Browse to the tar.gz 
file you downloaded 
and click Upload 


you have a spl or fang? app file to install, you can upload it using this Form. 


Upload an app 
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Upgrade app. Checking this will overwrite the app if it already exists. 
Cancel 


You'll be prompted to restart Splunk. When you log back in, click the “Set up now” button. 


Upload app 


Apps » Upload app 


@ install successful 
App setup required 


You must set up your new app before you can use it. 


Set up later 


Configure the App 
Get Started 


Prefer to do this later? No problem. At any time go to the Apps list, find Qualys Technology 
Add-on for Splunk and click the “Set up” link under Actions. 


Configure the App 


Provide details for connecting to the Qualys API Server. Then configure settings for 
collecting VM, WAS, PC, FIM, EDR, CS detection data, Activity log, and KB Data. To access 
this page, go to Apps > Manage Apps > Qualys Technology Add-on for Splunk > Set up. 


Note 


If you are installing TA for the first time or upgrading your TA that has no configuration, 
then you must restart your Splunk once configurations in TA are saved successfully. You 
are required to restart Splunk only when you configure TA the first time. Restarting 
Splunk enables TA to reload the configurations from the app.conf file, which are modified 
after TA configuration. 


If you are upgrading to TA 1.8.9, you have to again manually enter Qualys API 
credentials after the upgrade otherwise you won’t be able to access the Qualys API 
server. Before entering the credentials, we recommend you to empty the cache of your 
browser and do a hard reload. 


Configure the App 
Get Started 


Configure This App 


Qualys API Server 


Qualys API Server 
Note: The url should start with HTTPS. 
Qualys Credentials 
Username 
Password 
Confirm Password 
Note: Leave usernarne’password blank, if you have already set if up 
Client Certificate > 
API Timeout Settings > 
VM Detection Settings > 
WAS Findings Settings > 
Policy Compliance Settings > 
Container Security Settings for Images > 
Container Security Settings for Containers > 
FIM Settings for Events > 
FIM Settings for Ignored Events > 
FIM Settings for Incidents > 
Endpoint Detection and Response Settings > 
Activity Log Settings > 
Knowledge Base Settings > 
Secure Enterprise Mobility Settings > 
Policy Compliance Reporting Service Settings > 
Proxy Configuration > 
More Settings > 


Which URL do I enter for the Qualys API Server? 


You'll enter the Qualys API Server URL for the Qualys Cloud Platform where your account 
is located. Click here if you need help finding the URL. 


Which account credentials do I provide? 


The username and password for the Qualys account you want to sync with Splunk. Note - 
If you return to TA Setup page at a later time, your saved credentials won't be visible. Do 
not enter credentials again as this will add another credential pair to the passwords.conf 
file and may cause issues when trying to pull data. 


Configure the App 
Get Started 


Note - If your TA version is 1.8.7 or higher, you do not have to remove the passwords.conf 
file to update TA credentials. Just update the credentials from the TA setup page without 
removing the passwords.conf file. 


Can | authenticate using a client certificate? 


Yes. Select “Use a Client certificate for authentication” and provide your PEM-encoded 
X.509 certificate (.pem file). You Il also need to provide the certificate key (.key file) if it’s 
separate from the certificate, and enter a passphrase if the certificate/key file is 
encrypted. 


Can | configure multiple Qualys instances via one Qualys TA App? 


You can not create multiple Qualys instances using one Qualys TA app instance running 
on a Splunk instance. A single TA app instance does not support configuring multiple 
Qualys user accounts. The solution is to create multiple TA instance across multiple 
forwarders and configure one user account on each TA instance. 


VM Detection Data 


Configure settings for collecting VM detection data. Select one or more logging options to 
indicate the type of data you want to view in Splunk. 


Enter API input parameters (in the Extra parameters field) for the Host Detection API to 
pull select vulnerability data from your Qualys account. 
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Configure the App 
Get Started 


For example, only pull data for certain hosts by specifying ips=10.10.10.2-10.10.10.10. 
Refer to API user guides 


VM Detection Settings mo! 


Log Host Summary events 


Log extra statistics in host summary ( Breakdown of Vulnerability Count by (Severity and Type), by (Severity 
and Status) 


Log Individual Host Vulnerabilities 
Log host information with each detection ( e.g. IP, OS, DNS, NetBios) 


Host fields to log ID,JP-TRACKING_METHOD,DNS,NETBIOS,OS,LAST_SCAN_DATETIME,TAGS,NETWORK_ID,LAST_VM_SCA 


Enter host XML tag names from API response to be logged in the event by a comma-separated. (e.g. 
ID,IP-TRACKING_METHOD,DNS) 
Detection fields to log | ip. TYPE,PORT,PROTOCOL,SSL,STATUS,LAST_UPDATE_DATETIME,LAST_FOUND_DATETIME,FIRST_FOL 


Enter detection XML tag names from API response to be logged in the event by a comma-separated. (e.g. 
QID.TYPE,PORT,PROTOCOL) 


Max characters allowed in 0 
RESULTS field 
Value O means TA won't truncate the RESULTS field. Non zero value means TA will truncate the RESULTS field 
at that length. 
Extra parameters for Detection AFI show_results=1&show_igs=1&truncation_limit=19 


Enter as URL Query (e.g. a=1&b=string ) or as JSON (e.g. {"a":1, "b": "string"}). Following parameters are NOT allowed:action, output_format, 
vm_processed_ after, ids, suppress_duplicated_data_from_csv, max_days_since_last_vm_scan, max_days_since_vm_scan 


(Q Load detection data using multiple threads (resource intensive) 


Number of threads to use 3 
(between 1 and 10) 


VM Detection - Advanced Settings 


(Q Enable full data pull always? If checked, TA will always do a full data pull. Leave unchecked for incremental 
pull. 


(] Enable seed file generation? If checked, TA will only generate a .seed file instead of streaming data. You will 
have to explicitly import it later. Leave unchecked to let TA stream data into Splunk. 


Directory path, where to generate 
| 


the .seed file. 


Why choose “Log host information with each detection”? 


Choose this option if you want to log host information (IP, OS, DNS, NetBios) along with 
each detection. 


Tell me about the “Host fields to log” and “Detection fields to log” fields 


1) In the “Host fields to log” field, we show the default output fields that you will see for 
host assets on Splunk for VM events. You can add additional comma-separated host XML 
tag names such as “Asset_ID’ returned in the Host List API response that you want to log 
in the event or remove any existing tag that you don't want to log. 


2) In the “Detection fields to log” field, we show the default output fields that you will see 
for host detection on Splunk for VM events. You can add additional comma-separated 
detection XML tag names such as “AFFECT_EXPLOITABLE_CONFIG’ and 
“AFFECT_RUNNING_KERNEL” returned in the Host List Detection response that you want 
to log in the event or remove any existing tag that you don't want to log. 


Tell me about the “Max characters allowed in RESULTS” field 


The “Max characters allowed in the RESULTS’ field lets you specify how many maximum 
characters will appear in the Results field. This means if the number of characters 
exceeds the maximum allowed characters, then TA will truncate the excess characters 
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Configure the App 
Get Started 


after parsing the RESULTS field and append the message “[TRUNCATED XXX Characters]” 
in the Results field. The max length includes the characters in the appended message. The 
default value is zero which means TA won't truncate any characters while parsing and 
you will see the entire value in the RESULTS field in Splunk. 


What values are shown in the “RESULT_TRUNCATED?” field? 


The “RESULT TRUNCATED” field shows values based on whether the RESULT field is 
truncated by TA or Splunk. 


1) The “RESULT_TRUNCATED’ field is set to “0” if neither TA nor Splunk truncates the 
value in the Results field. 


2) The “RESULT_TRUNCATED"” field is set to “1” when Splunk truncates the RESULTS field. 
This happens if the truncation value set for the RESULTS field in the props.conf file in 
Splunk is greater than that set on the TA set up page. In this case, the difference between 
the truncation values set in the TA and Splunk is truncated by Splunk after TA truncates 
the RESULTS field as per the value specified in the “Max characters allowed in RESULTS” 
field. 


3) The “RESULT_TRUNCATED’ field is set to “2” if TA, after parsing the event, truncates the 
RESULTS field value and if the truncation value set for the RESULTS field in the props.conf 
file in Splunk is either the same or less than that set for the RESULTS field for VM on the 
TA set up page. 


Note that if Splunk truncates the RESULTS field, then the message “[TRUNCATED XXX 
Characters]” in the Results field is not shown. 


What are VM Detection-Advanced Settings? 


The “Enable full data pull always?” option allows you to specify whether TA should do a 
full data pull or an incremental pull on each run. By default, this is not selected and TA 
does an incremental pull. Select the option to pull the full host detection data from Qualys 
account and put it on Splunk. 


The “Enable .seed file generation?” option indicates to TA to generate a .seed file at the 
location specified by you for TA to stream host detection data into Splunk. You have the 
option to specify either directory path or file path. If you specify a directory path, TA 
creates a seed file each time TA pulls data into Splunk. TA appends data in the same .seed 
file if you specify a file. 


We strongly recommend you to get in touch with our support team if you want to change 
VM Detection-Advanced Settings. 


How to configure directory path for the .seed file on Splunk Cloud? 


Directory path for the .seed file on Splunk Cloud must start with 
$SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/tmp. TA-QualysCloudPlatform shows 
an error while generating the .seed file if you configure any other path. 


What are the event types for searching VM Detection data in Splunk? 


Note that we provide default event types that you can use to search for VM detection data 
pulled in Splunk. See Event Types for Searching your Apps Data. 
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Configure the App 
Get Started 


Policy Compliance Data 


Choose one or more options to specify what posture data you want to fetch and index in 
Splunk for your policy. 1) Select “Log individual PC Compliance Posture events” to fetch 
posture info for all the host assets. 2) Select “Log Policy Summary’, to fetch policy 
summary information. These two options are selected by default. 3) Select “Log "Al" 
details” to fetch full posture data. If the check box is not selected, we will show only basic 
details for your policy. 4) Select the “Add additional fields (REMEDIATION, RATIONALE, 
EVIDENCE, CAUSE_OF_FAILURE)” check box, to fetch and index full posture data and also 
data for these additional fields. 


We use “policy_id” parameter to pull posture information. TA will first fetch all the policy 
IDs using the Compliance Policy List API and then for each policy_id, it fetches the posture 
information using the Compliance Posture Information API. 


The “Number of posture info records per API request” option lets you specify the number 
of posture info records that will be returned per request for a single policy. The value in 
this field will be used for the “truncation_limit” parameter of the PC posture API request. If 
the requested list identifies more records than the truncation limit, then the XML output 
includes the <WARNING> element and the URL for making another request for the next 
batch of records. 


The default value is 1000. If you specify 0, then TA will fetch all the posture information 
for a policy ID in a single output. We recommend paginated output if the posture info data 
is large. 


Enter API input parameters (in the Extra parameters field) for the Posture Information API. 
For example, specify IDs of the hosts for which you want to collect the compliance posture 
information. Refer to API user guides 


Policy Compliance Settings _ 


Note: The PC feed does not pull the SCAP information. 


Log individual PC Compliance Posture events 

Log Policy Summary 

[|] Log "All" details (when unchecked, logs "Basic" details) 

(J) Add additional fields (REMEDIATION, RATIONALE, EVIDENCE, CAUSE_OF_FAILURE) 
[] Enable multi-threading for PC Posture Information download 


Number of threads to use for PC 2 
Posture Information (max 10) 


Number of posture info records 200 
per API request 


Extra parameters for Posture 
Information API 
Note Enter as URL Query (e.g. a=1&b=string) or as JSON (e.g. {"a":1, "b": "string"}). Following parameters are 
NOT allowed: action, output_format, details, status_changes_since, policy_ids, show_remediation_info, 


cause_of_failure, include_dp_name, policy_id, truncation_limit 
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Configure the App 
Get Started 


Note that we provide default event types that you can use to search for policy compliance 
data pulled in Splunk. See Event Types for Searching your Apps Data. 


WAS (Web Application Scanning) Findings Settings 


Configure WAS Finding settings to collect WAS data from your Qualys WAS account. You 
can choose to log individual findings and/or web application summary events. 


Enter API input parameters (in the Extra parameters field) for the WAS Findings API to pull 
select data from your Qualys account. For example, specify Ids of web applications for 
which you want to view data. Refer to API user guides 


WAS Findings Settings a 


Log Individual Findings 


Log Web App summary events 


Extra parameters to WAS Findings 
AFI 
Enter as XML. (e.g. <filters><Criteria field="group" operator="IN">XS55, SQL, INFO</Criteria></filters>) 


C] Load WAS Findings data using multiple threads (resource intensive) 


Number of threads to use 3 
(between 1 and 10) 


Note that we provide default event types that you can use to search for WAS Findings data 
pulled in Splunk. See Event Types for Searching your Apps Data. 


Container Security Data Settings for Images 


Configure these settings to collect Container Security data for individual docker image 
vulnerabilities and summary of events for docker images. 


Enter API input parameters (in the Extra parameters field) for the Docker Image 
Vulnerability API. This lets you pull only select vulnerability data for docker images from 
your Qualys account. For example, specify Ids of docker images for which you want to 
view vulnerability data. Go to the Container Security online help for API information. 


Container Security Settings for Images = 


Log individual docker image vulnerability events 


Log docker image summary events 
(0 Enable multi-threading to download docker image vulnerabilities 


Number of threads to use for CS 2 
feed (max 10) 


Page size 1000 


Extra filters for Docker Image API 


Enter as Elastic Search Query (e.g. a:1 or b.c:string OR a:1 and b.c:string). Following parameters are NOT 
allowed: pageNumber, pageSize, updated 
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Configure the App 
Get Started 


Note that we provide default event types that you can use to search for CS data for images 
data pulled in Splunk. See Event Types for Searching your Apps Data. 


Container Security Data Settings for Containers 


Configure these settings for collecting CS data for containers. Select one or more logging 
options to indicate whether you want to log and show individual vulnerabilities on a 
container and/or a summary of vulnerabilities found on a container. The Summary will 
include the total number of vulnerabilities with a break up of potential, confirmed and 
patchable vulnerabilities. 


Enter API input parameters (in the Extra filters for Containers field) for the Container 
Vulnerability API. This lets you pull specific containers and their vulnerability data from 
your Qualys account. For example, if you want to download data only about running 
containers that has severity 5 vulnerabilities, you would specify state:RUNNING and 
vulnerabilities.severity:5 in the Extra filters field. Go to Container Security Online Help for 
API information. 


Container Security Settings for Containers W 


Log individual docker container vulnerability events 
Log docker container summary ewents 
[] Enable multi-threading to download docker container vulnerabilities 
Number of threads 3 
Multi-threading is resource-intensive. Please set a value only between 2 to 10 (both inclusive). 


Page size 1000 


Extra filters for Containers 


Please refer Qualys Ul help for search filter. Following parameters are NOT allowed: pageNo, pagesize, 
updated 


Note that we provide default event types that you can use to search for CS data for 
containers data pulled in Splunk. See Event Types for Searching your Apps Data. 
FIM data settings for events, ignored events and incidents 


Configure FIM Settings for Events, Ignored Events and Incidents to collect FIM data for 
events, ignored events and incidents from your Qualys FIM account. 


Enter API input parameters (in the Extra filters for FIM Events API, Extra filters for FIM 
Ignored Events API, Extra filters for FIM Incidents API) to specify what data (events, 
ignored events and incidents) will be pulled from your Qualys account. 
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Configure the App 
Get Started 


For example, specify “action: rename’ to pull all the events that are generated for this 
action. 


FIM Settings for Events ai 


Page size 1000 


Extra filters for FIM Events API 


Enter as Elastic search Query (e.g. a:1 or b.c:string OR a:1 and bc'string}). Following parameters are NOT 
allowed: pageNumber, pagesize, datelime 


FIM Settings for Ignored Events v 


Page size 1000 


Extra filters for FIM Ignored Events 
API 
Enter as Elastic Search Query (e.g. a:1 or b.c:string OR a:1 and b.c:string). Following parameters are NOT 
allowed: pageNumber, pageSize, dateTime 


FIM Settings for Incidents 


Page size 1000 


Extra filters for FIM Incidents API 


Enter as Elastic Search Query (e.g. a:1 or b.c:string OR a:1 and b.c:string). Following parameters are NOT 
allowed: pageNumber, pageSize, dateTime 


Note that FIM UI uses the user's local timezone while the Splunk-FIM integration uses 
UTC timezone by default. If you are trying to match results from UI to Splunk integration, 
you will need to match Qualys UI and Splunk Integration timezones. 


Note 


TA versions greater than 1.6.5 only work with FIM API version 2.0.2.0 
and later and not with versions earlier than 2.0.2.0. 


Note that we provide default event types that you can use to search for FIM events, 
ignored events, and incidents pulled in Splunk. See Event Types for Searching your Apps 
Data. 
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Configure the App 
Get Started 


Endpoint Detection and Response Settings 


Configure Endpoint Detection and Response (EDR) API settings to fetch the EDR data from 
your Qualys EDR Account. Enter the API input parameters (in the Extra parameters to pass 
to Indication of Compromise API) to specify what EDR data (events) will be pulled from 


your Qualys account. 


TA uses default parameters “type:file AND indicator.score>0) OR (type:process AND 
action:running)” in the API request to call EDR API. These parameters are shown in the 
EDR settings. You can customize the API request by adding new parameters or modifying 


the existing parameters. 


Endpoint Detection and Response Settings Vv 


Page size 1000 


Extra filters for Endpoint Detection (type:file AND indicator.score>0) OR (type:process AND action:running) 
and Response API 


Enter as Elastic Search Query (e.g. a:1 or b.c:string OR a:1 and b.c:string). 


Note that we provide default event types that you can use to search for EDR data pulled in 
Splunk. See Event Types for Searching your Apps Data. 


Activity Log Settings 

Configure Activity Log settings to fetch activities from your Qualys account. Enter the API 
input parameters (in the Extra parameters to pass to Activity Log API) to specify what 
Activity Log data (events) will be pulled from your Qualys account. 


Activity Log Settings vf 


Extra parameters for Activity Log 
API 


Note: Enter as URL Query (e.g. a=1&b=string) or as JSON (e.g. {"a":1, "b": “string"}). Following parameters are 


NOT allowed: action, output_format, since_datetime, until_datetime 


Note that we provide default event types that you can use to search for Activity log data 
pulled in Splunk. See Event Types for Searching your Apps Data. 
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Configure the App 
Get Started 


KnowledgeBase Settings 


Configure Knowledge Base settings to fetch Solution, Consequence, and Diagnosis 
information in the KB data and enable or disable indexing KnowledgeBase (KB) data in 
Splunk. The check box “Index the KnowledgeBase...”, indicates whether TA after pulling 
the KnowledgeBase data will index the KnowledgeBase data in Splunk or write the data 
into a CSV file. 


Knowledge Base Settings s 


Log additional fields (SOLUTION, CONSEQUENCE, DIAGNOSIS) 


Index the knowledge base. CSV lookup file will NOT be created. 


Note: This feature is helpful if you are using distributed setup. 


When you select the check box and click Save, TA fetches the KB data and then indexes 
this data into Splunk. If you are on the distributed setup environment, we recommend you 
to select this option so that you can get the updated KnowledgeBase data on the Search 
Head and generate the KB CSV file from the Search Head. 


If the check box is not selected, TA does not index the KB data and creates a KB CSV file. 
The CSV file will have KB data from 1999-01-01 till the current date. By default, this option 
is disabled. 


After you enable the index KB data option, the KB data will be indexed in Splunk. Next, 
you need to generate the KB CSV lookup on the Search Head using the Splunk's scheduled 
saved searches feature. To generate KB CSV look up on the Search Head, you need to 
create a schedule save searches on the Search Head, and then create the KB CSV lookup 
definition. Creating “scheduled saved searches” and “KB CSV Lookup Definition” on the 
Search Head” are one-time activities that you need to perform when you enable KB 
indexing first time. 


Note that we recommend these steps if you are using distributed Splunk setup & have 
enabled the index KB data option on the TA setup page. 


If you disable the KB indexing option later, then disable the scheduled save searches and 
lookup definitions created for KB indexing. If you enable the KB indexing option after 
disabling, then just enable the scheduled save searches and lookup definitions created for 
KB indexing instead of creating them again. 


Create scheduled saved searches on the Search Head 
1) Go to Settings > Searches, Reports, and Alerts. 
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Configure the App 
Get Started 
2) On the Searches, Reports, and Alerts page, click New Report. 


Create Report x 


Title 
Description 
Search 


Earliest time 


Learn More Z 


Latest time 


3) On the Create Report screen, enter a title & description for the new report. For example, 
you can have a title: Generate KB CSV Lookup and a description: Generate KB CSV Lookup. 


4) In the Search field, copy and paste this SPL and replace the {INDEX_NAME} with the 
actual index name which you have set for KnowledgeBase data input. The SPL will read 
the KB data for the specified fields using the specified index that has the Qualys 
KnowledgeBase source type and then write this data in the KB CSV output file. 


index= {INDEX_NAME} sourcetype="qualys:knowledgebase’ | table QID, SEVERITY, 
VULN TYPE, PATCHABLE, PCl FLAG, TITLE, CATEGORY PUBLISHED. DATETIME, 
CV 50. BASE: CVSS TEMPORAL, CVoo. VECTOR STRING, GV55_V5_BASE, 
CGVS5-V3- TEMPORAL, GV55.V3_ VECTOR STRING, CVE. VENDOR REFERENCE, 
THREAT_INTEL_IDS, THREAT_INTEL_VALUES, BUGTRAQ_IDS | outputlookup 
qualys_kb.csv 


Note: If you have selected the Log additional fields (SOLUTION, CONSEQUENCE, 
DIAGNOSIS) option in the Knowledge Base settings, then you must specify these fields in 
the SPL provided above. 


5) In the App field, select the Search & Reporting (search) option to generate the KB CSV 
file under the directory: SPLUNK_HOME/etc/apps/search/lookups/. 


6) Click Save to create the report. When you click Save, you will be navigated back to the 
Searches, Reports, and Alerts page. 


7) On the Searches, Reports, and Alerts page, select Search & Reporting (search) from the 
app drop-down field. 


8) Navigate to the report title that you have created, then click Edit to schedule the report. 
9) Click Edit and select the Edit Schedule option. 
10) On the Edit Schedule screen, select the Schedule Report check box. 
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11) From the Schedule drop-down field, select Run on Cron Schedule. 


12) In the Cron Expression input field, enter the cron format to specify the cron schedule 
for running the report. For example, enter */2 **** to schedule the cron after every 2 
minutes. 


13) In the Time Range field, select the All time option to pull all the index data. 
14) Click Save. 


Create KB CSV Lookup Definition on the Search Head 
These steps let you access the KB CSV file data using the lookup. 


1) Go to Settings > Lookups and on the Lookups page, click Add New in the Lookup 
definitions row to create lookup for KB CSV file. 


reate and manage lookup table files 
} Configure time-based lookup 


| Advanced options 


2) From the Destination app field, select the search option to select the destination app to 
be used for the lookup. 


3) In the Name field, enter a name as qualys_kb_lookup. 

4) From the Type field, select the File-based option. 

5) From the Lookup file field, select the qualys_kb.csv option. 
6) Click Save to create the KB CSV lookup. 


What happens when you disable KB indexing option after enabling it first? 


When you disable KB indexing after enabling it first, the user may not get updated data or 
see blank dashboard. This is so because on disabling the KB indexing, the lookup file 
generated from the scheduled search will be removed from 
“SPLUNK_HOME/etc/apps/search/lookups/” directory. As a result, TA will read the lookup 
file that is now generated in the default “SPLUNK_HOME/etc/apps/TA- 
QualysCloudPlatform/lookups/” directory. 


To see updated data or not to see blank dashboard, you should disable the scheduled 
saved searches when you disable KB indexing after enabling it first. You need to disable 
the scheduled saved searches as the scheduled save searches when run won't fetch latest 
KB data if the KB indexing option 1s disabled. 
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What happens when you enable the “index KnowledgeBase data” option? 


When you enable indexing, TA determines if the KB data is getting indexed for the first 
time into Splunk or KB data has been indexed before. If TA determines that the KB data is 
indexed the first time, then the entire KB data from 1999-01-01 is pulled. TA pulls the 
entire data so that the KB data which you could see before upgrading TA will be available 
to you in the new version. On the other hand, if KB data has been indexed before, then TA 
uses the KB checkpoint date of the last run to pull the KB data. 


How TA determines if the KB data is getting indexed for the first time? 


When you upgrade Splunk TA to 1.8.4 or later and choose to index the KB data into 
Splunk, TA will determine if the KB indexing option is enabled for the first time. TA does 
this by checking if the KB checkpoint file is empty and if the KB CSV file exists. Note that 
TA creates a KB CSV file when you upgrade Splunk TA to 1.8.4 or later. If TA finds these 2 
conditions true, then TA will fetch the KB data from 1999-01-01, update the KB checkpoint 
file with the latest date time, and remove the KB CSV file from the lookup folder if it exists. 


Later, if you delete the KB checkpoint file or clear the KB checkpoint file data, then before 
indexing the KB data, TA will check that the KB checkpoint file is empty and the KB CSV 
file doesn't exist. If these 2 conditions are found true, then TA will assume that the KB 
indexing option is enabled not for the first time. In this case, TA will use the start date 
provided on the KB input data form to pull the KB data from your Qualys account and 
update the KB checkpoint file with the latest date and time. 


Note that if the index KB check box is not selected, TA will generate the KB CSV file but TA 
does not update the KB checkpoint file. 


Secure Enterprise Mobility Settings 


Configure Secure Enterprise Mobility (SEM) settings to fetch asset and asset detection data 
from your Qualys SEM account. The SEM settings section has options that enable you to 1) 
log the asset summary events, 2) log the individual asset detections, 3) set the number of 
records that will be fetched per API request (default limit is 1000), and 4) provide extra 
parameters, if any, for the SEM API. The default option is to log both the individual asset 
detections and the asset summary events. You can choose one or both options. 


Secure Enterprise Mobility Settings v 


Log Individual Asset Detections 
Log Asset Summary events 


Number of SEM records per API 


request 


1000 


Extra parameters to SEM API 


Enter as URL Query (e.g. a=1&b=string). Following parameters are NOT allowed: action, 
detection_updated_since, detection_updated_before, truncation_limit 
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SEM data processing 


We will use two dates to fetch the SEM data: the start date and current date. The start date 
is the date from which TA will pull the SEM data from your Qualys SEM account. TA will 
use the start date as the checkpoint date from the SEM checkpoint file if the file is 
available; else, it will use the start date from the data input page (Settings > Data Inputs > 
Add Data). This date is stored in the detection_updated_since parameter. 


The second date is the current date in the YYYY-MM-DDTHH:MM:SSZ format. This date is 
stored in the detection_updated_before param. 

TA will make a call to the asset list API with “detection_updated_since’, 
“detection_updated_before’, “action=list”, “truncation_limit” and extra params if any 
parameters to fetch all the SEM data available between the start date and current date in 
Splunk. 


Note that if API response has a <WARNING> tag, TA makes a pagination call to pull the 
next data set. 


Post-processing of SEM data 


After receiving the SEM API response, we extract the asset ID from the 
<ASSET><ID></ID></ASSET> tag and create a new <ASSET_ID> tag for each of the 
<Detection> tag. The asset ID in the Detection tag helps the user identify the asset ID fora 
detection. We also remove the <DETECTION_LIST> tag from the <ASSET> tag and show 
the remaining asset information. 


In the end, if more than one record is logged as an event in Splunk, then TA updates the 
checkpoint file with the value of detection_updated_before (1.e. current date of data input 
run). The checkpoint file is not updated if no records are found. 


SEM Event types 


TA logs the fetched SEM data into two event types: 1) Asset information 
(<ASSET></ASSET>) is logged into the “qualys_sem_asset_summary_event” event type in 
Splunk, and 2) Asset detection (<DETECTION></DETECTIONS>) is logged into the 
“qualys_sem_detection_event” event type. 


Policy Compliance Reporting Service Settings 


Configure the Policy Compliance Reporting Service (PCRS) settings to fetch the policy and 
the posture data from your subscribed Qualys PCRS account. 
The PCRS settings section has options that allows you to: 


- Add additional field evidence, 
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- Add the number of policy Ids to be used in Resolve Host Id API (maximum limit is 10, and 
the default value is 2). 


Policy Compliance Reporting Service Settings w 


[] Add additional field evidence 


Number of Policy Ids to use for 2 
Resolve Host lds API (max 10) 


Select the Add additional field evidence check-box to pull the evidence data for the 
posture information records. By default, this field is disabled. 


The Number of Policy Ids to use for Resolve Host Ids API (max 10) field defines the 
number of policies considered for the subsequent Resolved Host API to pull the hosts 
associated to the respective policy Ids. The policy Ids are divided into multiple threads 
and data is pulled accordingly. 


Proxy Configuration 


Provide the proxy server IP address and credentials for Qualys API requests. 


Proxy Configuration v 


[] Use a proxy Server for Qualys API requests 
Proxy Server and credentials 


(e.g. 10.10.10.2:8080 OR username:password@10.10.10.2:8080) 


Preserve API Output 


Select this check box to save the API output files in Splunk. By default, this check box is 
not selected. When checked, TA will preserve JSON/XML files of API output for all the 
modules for which TA is configured to pull the data from your Qualys cloud. 


More Settings M 


C] Enable debug logs 


(] Enable to preserve the XML/JSON files of API output 
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Configure Data Sync 


TA-QualysCloudPlatform pulls Qualys data and indexes in Splunk on a regular basis. 


Scripts parse and convert the Qualys API output to Splunk friendly format (CIM-compliant 
in Splunk parlance). 


inistrator Messages + (Settings ® Activity elp id Go to Settings (on the top menu) and 


SS SS. 
select Data Inputs. 
KNOWLEDGE DATA 
Searches, reports, and alerts Data inputs 
Data models Forwarding and receiving 
Add Data | 
Event types Indexes 
Tags Report acceleration summaries 
=.. Fields Virtual indexes 


— i Anime 


Caurca tunac 


Then click the “Add new” link for the Qualys Technology Add-On, as shown below. 


Data inputs 


Local inputs 
Set up data inputs from files and directories, network ports, and scripted inputs. If you want to set up forwarding and receiving between two Splunk instances, go to Forwarding and receiving. 


Type 


Inputs Actions 
Files & directories 6 Add new 
Index a local file or monitor an entire directory. 
HTTP Event Collector 0 Add new 
Receive data over HTTP or HTTPS. 
TCP 0 Add new 
Listen on a TCP port for incoming dats, e.g. syslog. 
UDP 0 Add new 
Listen on a UDP port for incoming data, e.g. syslog. 
Scripts 4 Add new 


Run custom scripts to collect or generate more data. 
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Choose the Qualys metric (data feed input) you're interested in, specify when to start 
pulling data and how often. Then click Next. Repeat these steps for each metric you want. 


Add Data @ aas 


Select Source Done 


Files & Directories 
Upload a file, index a local file, or monitor an entire directory 


Qualys Metrics * knowledge_base 


HTTP Event Collector 
Configure tokens that clients can use to send data over HTTP or Cron entry or 
HTTPS Interval 


This could be a cron format entry OR old style Interval between 
TCP / UDP subsequent runs. 


Configure the Splunk platform to listen on a network port. 


lf you upgraded from version 1.1.0, it is recommended to change 
this to cron format for more control. 


Scripts Old style intervals are still supported for backward-compatibility 

Get data from any API, service, or database with a script. purpose. Old Format: *w*d*h*m‘s, where * is any positive number. 
For example: 12h to run after 12 hours since last run. You can omit 
the letter if value is O. 


Systemd Journald Input for Splunk l | 
Note - API rate limit according to your API tier will be applicable. 
This is the input that gets data from journald (systemd's logging 


component) into Splunk. Start Date 
© 
For fim_events, fim_ignored_events, and fim_incidents Qualys 
1 - 3 Le 
Gums Techno A ON Metrics - date to start data pull from should be in UTC in ISO 8601 
Add-On for Qualys format: "YYYY-MM-DDThh:mmiss.msZ". Ex: 2017-01 
01T00:00:00.000Z 
Splunk Secure Gateway For sem_detection Qualys Metrics - date to start data pull from 
should be in UTC in ISO 8601 format: "YYYY-MM-DDThh:mmi:ssZ". 
Default value is "2021-01-26T00:00:002". 


Initializes the Splunk Secure Gateway application to talk to mobile 


clients over websockets 
For other Qualys Metrics - date to start data pull from should be in 
UTC in ISO 8601 format: "YYYY-MM-DDThh:mm:ss2". Default value 
Splunk Secure Gateway Mobile Alerts TTL s "1999-01-01T00:00:002". 


Cleans up storage of old mobile alerts x i a. a! Ral ic 71 = 
eans up storage of old mobie alert For knowledge_base, 'Start Date' field is applicable only if Index 


the knowledge base’ is enabled on the TA setup page. 


Splunk Secure Gateway Deleting Expired Tokens For host_detection, this value refers to the host scanned date. 
Delete expired or invalid tokens created by Secure Gateway from For was_findings, this value refers to the last tested date. 


For VM data, choose knowledge_base and host_detection. You need to create 2 data 
inputs. One for knowledgebase and another for host detection. 


For PC data, choose policy_posture_info. 


For WAS data, choose knowledge_base and was_findings. You need to create 2 data inputs. 
One for knowledgebase and another for was findings. 


For CS image data, choose cs_image_vulns. 

For CS container data, choose cs_container_vulns. 

For FIM events data, choose fim_events. 

For FIM ignored events data, choose fim_ignored_events. 
For FIM incidents data, choose fim_incidents. 

For EDR data, choose edr_events. 

For Activity Log data, choose activity_log. 

For SEM data, choose sem_detection. 

For PCRS data, choose pcrs_posture_info. 


Tip - When setting the interval, keep in mind your Qualys scanning schedule. If you re 
scanning weekly, you don t need to sync data dally. 
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Does the script pull all data or deltas only? 


The first time a script runs it pulls all data from your Qualys account. After that it pulls 
only the changes. 


Qualys data is added to Splunk 


You'll notice each scan has a separate entry in Splunk. If you purge hosts using your 
Qualys account the data is not removed from Splunk. 


How to assign a custom index to an event type? 
From TA v1.7.1 onwards, we are not supporting macro definition for indexes. 
Specify a custom index from UI 


Go to Settings > Event types and from the App drop-down select Qualys Technology Add- 
On for Splunk. Navigate to the event type that you want to update. Click the event type 
and update the search string to specify Index=<name of the custom index>. 


Specify a custom index from CLI 


To set custom index, copy the eventtype.conf file from $SPLUNK_HOME/etc/apps/TA- 
QualysCloudPlatform/default/ to $sPLUNK_HOME/etc/apps/TA- 
QualysCloudPlatform/local/ and update the search string of the required event type to 
specify Index=<name of the custom index>. Then restart Splunk. 
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Enable the Data Feed to Start in Splunk 


Return to Settings > Data Inputs > Qualys Technology Add-On. You'll see each of the 
Qualys metrics you selected. Make sure you enable these. 


Qualys 
Settings » Data inputs » Qualys Pes g 
Click here to enable ..” 


Showing 1-10 of 10 items 
each data feed 


filter 


25 per page ~ 


Qualys Metrics + Cron entry or Interval # Start Date + Status + t Actions 
cs_container_vulns 45 14 28 8* 1999-01-01T00:00:00Z Disabled | Enable Clone | Delete 
cs_image_vulns 49 14 28 8° 1999-01-01T00:00:00Z Disabled | Enable Clone | Delete 
fim_events 02 18 28 8 * 2019-01-01T00:00:00Z Enabled | {Disable Clone | Delete 
fim_ignored_events 5110 27 8° 2019-01-01T 00:00:00Z Disabled | Enable Clone | Delete 
fim_incidents 06 1127 8” 2019-01-01T 00:00:00Z Disabled | Enable Clone | Delete 
host_detection 35 12 278 2019-01-01T00:00:00Z Disabled | Enable Clone | Delete 
edr_events 13 14 26 8 ° 2019-08-23T00:00:00Z Disabled | Enable Clone | Delete 
knowledge_base 22 15 28 8* 1999-01-01T00:00:00Z Disabled | Enable Clone | Delete 
policy_posture_info 1113 27 8 * 2018-01-01T00:00:00Z Disabled | Enable Clone | Delete 
was_ findings 36 17 288 2019-07-01T00:00:00Z = Enabled || Enable Clone | Delete 
sem_detection 2m 2021-01-26T00:00:002 Enabled | Enable: Clone | Delete 


Once you enable data feeds, check the $SPLUNK_HOME/etc/apps/TA- 
QualysCloudPlatform/tmp directory on your search head to see the XML files begin to 
download. Depending on how much data there is, it can take from hours to days to 
download the first data set. 


Note that for all FIM data inputs, choose a date equal to or greater than 2017-01- 
01T00:00:00.0007. 


How to setup for a Search Head Cluster 


1) Install Qualys TA on your Forwarder. Depending on the type of data you want to ingest, 
add and enable all or any of these data inputs: host_detection, was_findings, 
policy_posture_info. 


2) Use Deployer to push Qualys visualization apps. 


3) On each Search Heads, manually configure the event types. To add event types, go to 
Settings > Event types. On the Event types page, click New Event Type. In the Add new 
page, provide the search string for the new event type and click Save. 
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How to index KB data into Splunk 


We support indexing of the KnowledgeBase (KB) data in Splunk so that the Splunk TA 
users on the distributed setup environment can get the updated KnowledgeBase data on 
the Search Head from the Heavy Forwarder. 


On the TA set up page, we added a KnowledgeBase Settings section that has a check box 
“Index the KnowledgeBase. CSV lookup...”. 


Knowledge Base Settings vw 


Log additional fields (SOLUTION, CONSEQUENCE, DIAGNOSIS) 


Index the knowledge base. CSV lookup file will NOT be created. 


The check box indicates whether to index the KnowledgeBase data in Splunk or to write 
the data into a CSV file. When you select the check box and click Save, TA will fetch the KB 
data and index the KB data in Splunk. If the check box is not selected, TA does not index 
the KB data into Splunk and creates a CSV file.The CSV file will have KB data from 1999- 
01-07. 


Files & Directories 


Upload a file, index a local file, or monitor an entire directory. 


Qualys Metrics * knowledge_base v 
HTTP Event Collector 
Configure tokens that clients can use to send data over HTTP or Cron entry or 
HTTPS Interval 


This could be a cron format entry OR old style Interval between 
TCP / UDP subsequent runs. 
Configure the Splunk platform to listen on a network port. | a 
If you upgraded from version 11.0, it is recommended to change 
this to cron format for more control. 
Scripts . : P 
Old style intervals are still supported for backward-compatibility 
rvice, or database with a script. purpose. Old Format: *w*d*h*m*‘s, where * is any positive number. 
For example: 12h to run after 12 hours since last run. You can omit 
the letter if value is O. 


Get data from any API, se 


Systemd Journald Input for Splunk 


This is the input that gets data from journald (systemd's logging Note - API rate limit according to your API tier will be applicable. 
component) into Splunk. 
Start Date 
Qualys Technology Add-On For fim_events, fim_ignored_events, and fim_incidents Qualys 
Add-On for Qualys Metrics - date to start data pull from should be in UTC in ISO 8601 
format: "YYYY-MM-DDThh:mm:ss.msZ”. Ex: 2017-01- 
01T00:00:00.0007 
Splunk Secure Gateway . 
ns i Su mi a ia li a a a For sem_detection Qualys Metrics - date to start data pull from 
ee ee AEN SEN E EE should be in UTC in ISO 8601 format: "YYYY-MM-DDThh:mm:ssZ”. 
clients over websockets Default value is "2021-01-26 T00:00:007". 


For other Qualys Metrics - date to start data pull from should be in 
Splunk Secure Gateway Mobile Alerts TTL UTC in ISO 8601 format: "YYYY-MM-DDThh:mm:ssZ”. Default value 
is "1999-01-01T00:00:00Z". 


Cleans up storage of old mobile alerts 


Splunk Secure Gateway Deleting Expired Tokens 


Delete expired or invalid tokens created by Secure Gateway from For host_detection, this value refers to the host scanned date. 
Splunk For was_findings, this value refers to the last tested date. 

For cs_image_vulns, this value refers to image scan date. 
Splunk Secure Gateway Role Based Notification Manager More settings O 
Used for sending mobile alerts to users by role 


On the Settings > Data Inputs > Add Data page for Qualys technology add on, we added 
the information that for knowledge_base “Start Date” field is applicable only if the “Index 
the KnowledgeBase. CSV lookup...” option is enabled for the Knowledge Base settings on 
the TA set up page. 


After you enable the index KB data option, you need to generate KB CSV lookup on the 
Search Head. See KnowledgeBase Settings. 
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How to get the RESULTS field indexed in host detection input 


Update optional parameters on the TA setup page to include “show_results=1”". Already 
have optional parameters listed? Simply append this with an &' sign, for example 
“show_tags=1&show_results=1". 


How to populate the Diagnosis, Consequence and Solution 
information in Splunk 

Go to the KnowledgeBase Settings section on the TA setup page and select the “Log 
additional fields (SOLUTION, CONSEQUENCE, DIAGNOSIS)” check box. TA will fetch the 


Diagnosis, Consequence, and Solution fields from Qualys cloud in the KB data. Search the 
KB data in Splunk to view information related to these fields. 
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View your Qualys Data in Splunk! 


We provide additional apps that make use of the data collected by the TA. You'll get 
dashboards and reports, and you'll be able to easily search your data. 


Simply download and install these apps. There is no setup needed! 


- Qualys VM App for Splunk Enterprise 
- Qualys PC App for Splunk Enterprise 


- Qualys WAS App for Splunk Enterprise 


- Qualys CS App for Splunk Enterprise 
- Qualys FIM App for Splunk Enterprise 
- Qualys EDR App for Splunk Enterprise 


- Qualys PCRS App for Splunk Enterprise 


Once installed, you ll see new apps on your Splunk Home page. 


Click any app on your Home page to view data. 


splunk 


Apps 


> 
Q 


Search & Reporting 


Qualys CS App for Splunk 
Enterprise 


Qualys EDR App for Splunk 
Enterprise 


Qualys FIM App for Splunk 
Enterprise 


Qualys PC App for Splunk 
Enterprise 


Qualys PCRS App for 
Splunk Enterprise 


Qualys VM App for Splunk 
Enterprise 


Qualys WAS App for Splunk 
Enterprise 


+ Find More Apps 


Explore Splunk Enterprise 


Product Tours 


New to Splunk? Take a tour to help you 


on your way. 


Administrator v 1) Messages v 


= 


Add Data 
Add or forward data to Splunk 


Enterprise. Afterwards, you may 


extract fields. 


Click an app to get 
dashboards and reports 
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Explore Data 


Settings v 


Explore data and define how Hunk 


parses that data. 


Activity + Help v Find 


Splunk Apps 2 


Apps and add-ons extend the 
capabilities of Splunk Enterprise. 


Close 


View your Qualys Data in Splunk! 


Sample VM Dashboard 


splunk 


Dashboard ) 4 Q lity S g Qualys VM App for Splunk Enterprise 
Dashboard Edit Export ¥ 
Total Hosts OS distribution 


W t Windo 2008 
Active Hosts 
F5 Networks Big-IP 
F5 Networks Big-IP / Linux 2.6 
Wi 
bil N/A Buld 16299 
Q £ i © 6mago 
Top 10 Hosts ( Active and Severity 5 vulns) Most Prevalent Vulnerabilities 
HOST_LID> IP? DNS + VULNS + SEVERITY  HOST_COUNT 
QID $ TITLE $ CATEGORY + : : 
3177381 10.115.97.41 win8-97-41 103 
12680 HTTP TRACE / TRACK Methods Enabled CGI 3 6 
13126852 10.115.71.158 win-890blrmesc6 93 
i ie 90783 Microsoft Windows Remote Desktop Protocol Remote Code Execution Windows 5 6 
13126855 .115.108.56 eud2asse 61 ili 
3126855 6.115.108.56 eu@2asset2 6 Vulnerability (MS12-020) 
505 1 6 5 67- 
1505803 19:113.196.155 82767-t440p 52 100350 Microsoft Internet Explorer Memory Corruption Remote Code Execution Internet Explorer 5 5 
1528468 10.113.197.132 kafkaëtest.rdlab.in@1.qualys.com 45 Vulnerability 
7017778 10.113.199.59 desktop-h8rt9bc 13 34020 UDP Source Port Pass Firewall Firewall 3 5 
1577528 10.113.199.78 desktop-h8rt9bc 12 100346 Microsoft Internet Explorer Security Update for November 2018 Internet Explorer 5 4 
2505491 10.115.95.99 ambari.rdlab.in@3.qualys.com 9 100349 Microsoft Internet Explorer Security Update for December 2018 Internet Explorer 5 4 
13126853 10.115.108.61 euQ2assetl 6 100351 Microsoft Internet Explorer Security Update for January 2019 Internet Explorer 4 4 
18067416  64.41.200.246 win2008r2. trn.qualys.com 5 105228 Built-in Guest Account Not Renamed at Windows Target System Security Policy 3 4 
121695 NTP ‘monlist' Feature Denial of Service Vulnerability Local 3 4 
38601 SSL/TLS use of weak RC4(Arcfour) cipher General remote 3 4 
services 
Host, Vuln Count over time ( Severity >=3) Scan Volume 


Sample WAS Dashboard 


splunk 


Dashboard <nowled - earch Qualys WAS App for Splunk Enterprise 


Dashboard Edit Export ¥ 


Findings Over Time 


600 
400 
200 
March May July September November January March May July September November January March May July September November January March 
2018 2019 2020 2021 
time 
= Findings Count = cumulative 
Total Web Applications Total Findings per Severity level OWASP Top 10 
iii RE | DE 
0 20 40 60 80 100 120 140 
WB severity1 ME Severity2 M Sevority3 Ml Severity4 M Severity 5 A4 - Insecure Direct Object Reference 


Total Findings per Application 


webapp_id + webapp_name + Total Findings + Last Tested Date + 
1 21920163 web app 1614925280341 70 2021-03-@5T06: 19: 28Z 
2 21922006 web app 1615187593593 69 2021-03-08T07:14:19Z 
21921410 SampleWebApp 1615187963813 13 2018-02-23104:03:59Z 
4 21920164 SampleWebApp 1614925583826 13 2018-02-23T04:03:59Z 


5 21920767 WebApp_With_NameAndURL_1614924916799 2 2021-03-09703:55:36Z 
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Sample PC Dashboard 


splunk 
Dashboard Reports v Qualys PC App for Splunk Enterprise 
Dashboard Edit | | Export v 

Hosts Policies Controls 


36 1,066 4,820 


Status Over Time 


50,000 
25,000 
= = mnt E s_._ il = = = mm Lu. mi 
January July January July January July January July January July 
2013 2014 2015 2016 2017 
-time 
E Error M Failed DM Passed MMM Passed* 
Status Status by Criticality Failing Controls by Criticality 
150,000 
Passed* Error 100,000 URGENT 
Failed UNKNOWN 
50,000 
UNDEFINED CRITICAL 
—_ LOW 
CR..L  IM..T INFO LOW u...D UT 
Passed 
CRITICALITY_LABEL IMPORTANT 
DM Error DM railed DM passed 
E 2.0" 
Top 10 Policies with Failing Controls 
Dashboard Reports ¥ Search Debug (@) Qualys CS App for Splunk Enterprise 
Dashboard Edit Export + 
Registries Repositories Total logged Images 
Running Drift Containers Vulns on Running Containers Total Logged Vulns on Containers Count of Container by State 
Container State + Container Count + 
9 9 4 PAUSED - 
RUNNING 27 
STOPPED 16 
Vulns by Patchability on Running Containers Vulns by Detection Type on Running Containers Image Vulns by High Data Loss 
false POTENTIAL true 
true CONFIRMED false 


Confirmed Vulns on Running Containers by Severity Over Time 


500 


N 
w 
G 

ne wN 


Wed Dec 25 Sun Dec 29 Thu Jan 2 Mon Jan 6 Fri Jan 10 Tue Jan 14 Sat Jan 18 Wed Jan 22 Sun Jan 26 Thu Jan 30 Mon Feb 3 Fri Feb 7 Tue Feb 11 


_time 
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splunk 


Dashboard 


View your Qualys Data in Splunk! 


Dashboard em icon 
TOTAL CHANGES EVENTS BY SEVERITY 
200,000 
100,000 
50,000 
ES 
4 5 
ET Severity 1 [ea Severity 2 | Severity 3 | | Severity 4 EE Severity 5 
FILE & DIRECTORY CHANGES BY CHANGE ACTION 
20 
Attributes 
BE :: 
Create | 
6,998 
5 | 
£ Delete D 
@ 53,063 File 
| 155 
Rename 
56,208 
22 
Security 
52,997 
o 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 50,000 55,000 
TOP CHANGES BY USER TOP CHANGES BY PROCESS 
NT AUTHORITYILOCAL SERVICE other (30) CollectGuestLogs.exe 
NT AUTHORITY\NETWORK SERVICE svchosLexe MpSigStub.exe 
NT AUTHORITY\SYSTEM qualys-cloud-agent MsMpEng.exe 
WIN-43LAE3KFES5\Administrator MsSenseS.exe 
anacron 
charp 
chmod 
fime 
root 
CHANGES BY OS 
1,000,000 
151,835 
100,000 
22,967 
10,000 
2 1,920 
© 1000 
> 
a 
100 
10 
1 
SEES = ss 
Amazon Linux 2 Microsoft Windows Server _.200 64-bit N/A Build 9200 Microsoft Windows Server 299 64-bit N/A Build 16299 Microsoft Windows Server — 10.036299 NWA Build 16299 Windows 
Operating System 


@) Qualys FIM App for Splunk Enterprise 
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Sample EDR Dashboard 


splunk 


Dashboard 


View your Qualys Data in Splunk! 


(@) Qualys EDR App for Splunk Enterprise 


Dashboard Seni SR 
Select time range 
All time X Submit Hide Filters 
Actionable Events Count of Malware score Affected Assets 
1,500 
usO2edrctos01 
1 8 5 WIN-890BLRMESC6 
9 1,000 ne a= USO2ASSET2 
3 USO2Assett 
te} = count 
500 
2 
1 
score USO2WINI2EDR 
TOP Malware Detections Malware Detections by Category Top 10 Malware Files Detections by Indicator Type 
File Name + count + 
FILE 
© AM2_SUSPICIOUS_20210707-095952.exe 3 
Z AM2_MALICIOUS_20210705-055952.exe 2 
z 
£ Generic 2,872 AM2_MALICIOUS_20210705-062952. exe 2 
N 
S E count 
8 AM2_MALICIOUS_20210705-065952. exe 2 
5 
~ AM2_MAL ICIOUS_20210705-072954. exe 2 
o 500 1000 1500 2000 2500 3,000 | ARE TA EER $ PROCESS 
tojan 
Pee AM2_MALICIOUS_20210705-095952. exe 2 
AM2_MALICIOUS_20210705-095954. exe 2 
AM2_MALICIOUS_20210705-105954, exe 2 
AM2_MALICIOUS_20210705-115952.exe 2 
Dashboard et Mot 
Hosts Policies Controls 
Status Over Time 
150,000 
100,000 
50,000 
May June July August September October November December January February March 
2021 2022 
time 
E Error Ml Failed A Passed 
Status Status by Criticality Failing Controls by Criticality 
200,000 
Error URGENT 
UNDEFINED 
Failed 150,000 
SERIOUS 
100,000 
50,000 
zz Es MEDIUM CRITICAL 
FERRER 
CRITICAL MEDIUM MINIMAL SERIOUS UNDEFINED URGENT 
Passed criticality.label 
MB Eror Mi Failed M Passed 
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View your Qualys Data in Splunk! 


Top 10 Policies with Failing Controls 


Policy Id + 
116482 
91477 
116481 
144888 
4909786 
4207711 
116480 
4808689 
4207851 


4847696 


Policy Title + 

CIS_Benchmark_For_Oracle_Linux_7_v2.1.0 

REdhat 6 

CRM-Reproduce 

Email_notification 

Unit Manager policy for streaming posture API -- edited by manager 
Regression_FullScan_SDC_UDC 

1_Host 

Aruba OS OCA Policy 
Regression_SDC+UDC+DNS+AG+CT-includePCAgent-WithException 


COMPLIANCE POLICY 10.18 


Top 10 Least Compliant Hosts 


Host Id + 


127545064 


127547705 


127547706 


127547707 


127547708 


127547709 


127547726 


127547727 


127547728 


127547731 


Policies Not Evaluated In Last 10 Days 


Last Evaluated DateTime + 


2021-08-05 11:05:10 


2021-09-22 


2021-09-22 


2021-09-30 


2021-09-30 


2021-09-30 


2021-09-30 


2021-12-03 


2021-12-03 


2021-12-03 


:45:23 


:50:25 


155:54 


:55:57 


Policy Title + 
PC_AgentData 
PC_RHEL7_Data 


PC_Agent_Cent0s7 


No. of Failed Controls + Last Evaluated DateTime + 

38016 © 2021-12-02T22:04:08Z 

18384  2021-12-02T22:12:11Z 

792  2021-12-02T22:05:387 

240  2022-01-11107:05:007 

68  2022-03-25115:00:007 

2022-03-29T03: 54: 45Z 

2021-12-@2T22: 04: 45Z 

2022-03-29T03: 54: 44Z 

2022-03-29T03: 54: 462 


2022-03-29T03:54:42Z 


Host DNS + No. of Failed Controls + 
1-1-1-37.bogus. tld 106 
1-1-1-@. bogus. tld 97 
1-1-1-1. bogus. tld 97 
1-1-1-2. bogus. tld 97 
1-1-1-3.bogus. 97 
1-1-1-4. bogus. 97 
1-1-1-5.bogus. 97 
1-1-1-6.bogus. tld 97 
1-1-1-7. bogus. 97 


1-1-1-8.bogus, 97 


Best Practice Controls for Malware/Ransomware Prevention 


Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by Fireeye Red team tools 
Security Configuration and Compliance Policy for Zoom Client on Windows Remote Endpoints 


Minimum Security Hygiene for Windows Remote Endpoints 


Minimum Security Hygiene for Mac OS 


X Remote Endpoints 


Security Configuration and Compliance Policy for Zoom Client on Mac OS X Remote Endpoints 
Security Hygiene Controls for Reducing Risk of SolarWinds Orion Compromise (SUNBURST/Solorigate) 


CIS_Benchmark_For_Oracle_Linux_7_v2. 
1_Host 


CRM-Reproduce 
REdhat 1 asset 


1.0 


Note: The following image displays the time taken to ingest the events. 
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Search Your Qualys Data 
View your Qualys Data in Splunk! 


Find 
Reports ¥ Search Debug (@) Qualys PCRS App for Splunk Enterprise 
Debug Edit Export v 
Select one or more log Types PID 
All time X Error X s Hide Filters 


Policy Compliance Reporting Service log 


Search did not return any events. 


Policy Compliance Reporting Service Time taken 
i Time Event 


> 3/21/22 TA-QualysCloudPlatform (pers_posture_info): 2022-03-21 15:59:19 PID=1329475 [MainThread] INFO: Qualys PCRS Populator finished. 


3:59:19.000 PM host = Ixagubu source = /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log sourcetype = ta_QualysCloudPlatform-too_small 


> 3/21/22 TA-QualysCloudPlatform (pcrs_posture_info): 2022-03-21 15:59:19 PID=1329475 [MainThread] INFO: PCRS input logged 1194 entries. 
3:59:19.000 PM host = Ixagubu : source = /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log sourcetype = ta_QualysCloudPlatform-too_small 


> 3/21/22 TA-QualysCloudPlatform (pers_posture_info): 2022-03-21 15:58:33 PID=1329475 [MainThread] INFO: Qualys PCRS Populator started. 
3:58:33.000 PM host = Ixagubu | source = /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log | sourcetype = ta_QualysCloudPlatform-too_small 


Search Your Qualys Data 


Choose Search & Reporting on the Splunk Home page. Then enter your search query in the 
search field. Here are some sample search queries to get you started. 


Most Prevalent Vulnerabilities 


IP Lookup Form Knowledgebase Qualys Vulnerability Search Reports v Search for Vulnerabilities Debug 


New Search Save As ¥ Create Table View Close 
eventtype=qualys_vm_detection_event TYPE="CONFIRMED" SEVERITY>=3 | dedup 1 HOST_ID, QID, SSL, PROTOCOL, STATUS keepempty=true sortby -_time | search STATUS!="FIXED" stats dc(HOST_ID) as HOST_COUNT by QID | sort 10 -HOST_COUNT | lookup All time ¥ E 
qualys_kb_lookup QID OUTPUT TITLE SEVERITY CATEGORY | table QID, TITLE, CATEGORY, SEVERITY, HOST_COUNT 

Z 1,719 events (before 5/14/21 5:27:02.000 PM) No Event Sampling v Joby à Š 4 + Fast Mode » 

Events Patterns Statistics (10) Visualization 

20 Per Page v # Format Preview ¥ 

QDS # TITLE + # CATEGORY + # SEVERITY + 7 HOST_COUNT > 7 

12680 HTTP TRACE / TRACK Methods Enabled CGI 3 6 
90783 Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020) Windows 3 6 
100350 Microsoft Internet Explorer Memory Corruption Remote Code Execution Vulnerability Internet Explorer 5 5 
34020 UDP Source Port Pass Firewall Firewall 3 5 
100346 Microsoft Internet Explorer Security Update for November 2018 Internet Explorer 5 4 
100349 Microsoft Internet Explorer Security Update for December 2018 Internet Explorer 5 4 
100351 Microsoft Internet Explorer Security Update for January 2019 Internet Explorer 4 4 
105228 Built-in Guest Account Not Renamed at Windows Target System Security Policy 3 4 
121695 NTP 'monlist' Feature Denial of Service Vulnerability Local 3 4 
38601 SSL/TLS use of weak RC4(Arcfour) cipher General remote services 3 4 
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Search Your Qualys Data 
View your Qualys Data in Splunk! 


Host Distribution by OS 


splunk Apps Y 


Dashboard sts IP Lookup Form Knowledgeba Qualys Vulnerability Search Reports ¥ 


New Search Save As v Create Table View Close 
eventtype=qualys_host_summary_event | fillnull value="Unknown" OS | stats dc(HOST_ID) as HOSTS by OS All time + ic 

v 52 events (before 5/14/21 5:30:53.000 PM) No Event Sampling ¥ Job ¥ 2 a + + Fast Mode v 

Events Patterns Statistics (28) Visualization 

20 Per Page ¥ # Format Preview ¥ [+] 2 Next > 

OS ¢ # HOSTS? 7 


CentOS 6.6 1 
CentOS Linux 7.4.1708 1 
CentOS Linux 7.6.1810 1 
Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP 2 
Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP / Linux 2.6 2 
Linux 2.6 10 


Scan Volume 


splunk 


Dashboard Loo! K e Qualys Vulnerability S h eports earch for Vulnerabilities Debug 


New Search Save As ¥ Close 
eventtype=qualys_host_summary_event | timechart dc(HOST_ID) as HOSTS All time ¥ E 
v 52 events (before 5/14/21 4:41:31.000 PM) No Event Sampling ¥ Job ¥ > @& 4 + Fast Mode v 
Events Patterns Statistics (54) Visualization 
al Column Chart # Format aa Trellis 
30 
w 
e 
2 
Q 
I MB Hosts 
=a =o =z =z L | DS CRE CE = 
January April July October January April July October January April July October January April July October January Apri 
2017 2018 2019 2020 2021 
time 
time HOSTS 
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Search Your Qualys Data 
View your Qualys Data in Splunk! 


Hosts not Scanned in more than 30 days 


Events Patterns Statistics (30) Visualization 

20 Per Page v # Format Preview ¥ [+] 2 Next > 
Last_Scanned + L IP > # Host Name + rA OS > f 
2016-12-23 15:32:14 64.41, 200.231 demo@1.s@2.sjc01.qualys.com Windows 2000 Service Pack 3-4 / Windows 2003 / Windows XP 

201 2-23 15237:19 64. 41 . 200.233 demo03.s02.sjc01.qualys.com Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP 

201 -23 15:37:20 64.41.200.235 demo@5.s@2.sjc01.qualys.com Solaris 9-10 

2016-12-23 15:37:21 64.41.200.242 demo12.s02.sjc01.qualys.com Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP / Linux 2.6 

2016 -23 15:3 64.41.200.243 demo13.s02.sjc@1.qualys.com Ubuntu / Linux 2.6.x 

2016-12-23 15:37:23 64.41.200.244 demo14.s@2.sjc01.qualys.com Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP / Linux 2.6 

201€ 23 15:37:24 64. 41.200.245 demo15.s02.sjc01.qualys.com 

2016-12-23 15:37:24 64. 41.200.247 trn-win7.trn.qualys.com Windows 2008 R2/7 

2016-12-23 3 64.41. 200,248 demo18.s@2.sjc01.qualys.com Windows Vista / Windows 2008 / Windows 7 / Windows 2012 / Windows 8 / Windows 10 

201 2-23 15:37:25 64. 41.200.249 demo19.s02.sjc01.qualys.com Windows Vista / Windows 2008 / Windows 7 / Windows 2012 / Windows 8 / Windows 10 

201 -23 3 64.41.200.250 demo20.s02.sjc01.qualys.com Ubuntu / Linux 2.6.x 

2016 23 15:38:59 64.41.200.234 demo@4.s02.sjc01.qualys.com Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP 

201€ 23 15:38:59 64.41.200.238 demo08.s02.sjc01.qualys.com Windows 2000 Service Pack 3-4 / Windows 2003 / Windows XP 

2016-12-23 15:41:03 64.41.200.241 demo11.s@ 61. qualy o! Li 2 

201 23 15:47:46 64. 41.200.246 dem 01.qual do i do 00 Windows do 01 i 8 / do tt) 

2016 23 15:50:50 64.41, 200.237 demo@7 Windows XP 

2016-12-23 15:51:51 64,41, 200.236 demo@ @1.qualys.co Li 


Search Container Security Data 


CS data is in JSON format. TA indexes CS ev ents in a structured format. You can search 
the CS data in Splunk using DOT notation. 


Use these event types to search for different types of container data: cs_image_info_event 
to search for vulnerabilities of images, qualys_cs_container_details, 
qualys_cs_container_vuln to search for container data and 
qualys_cs_container_vuln_summary to search for container vulnerabilities. 


For more information on creating search queries t o filter CS data, refer to the Splunk 
Search Reference. 


Sample JSON query to filter images matching a registry object in a repo list 
eventtype="cs_ image _info_event' 
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New Search 


eventtype="cs_image_info_event" 


Events (89) Patterns Statistics 
Format Timeline + — Zoom Out 


< Hide Fields = All Fields 
SELECTED FIELDS 

a host 1 

a source 1 

a sourcetype 1 


INTERESTING FIELDS 

# associatedContainersCount 4 
# associatedHostsCount 4 
# compliance.errorCount 1 
# compliance.failCount 2 
# compliance.passCount 1 
a created 89 

# date_hour 15 

# date_mday 2 

# date_minute 28 

a date_month 1 

# date_second 35 

a date_wday 2 

# date_year 1 

a date_zone 1 

a eventtype 1 


a imageld 89 

index 1 
instrumentationState 2 
instrumentedFrom 2 
isDockerHubOfficial 1 
L—a isinstrumented 1 


& A A & 


89 events (5/13/21 8:30:00.000 PM to 5/14/21 9:16:50.000 PM) 


Visualization 


List v # Format 

i Time 

> 5/14/21 
10:05:34.000 AM 


No Event Sampling + 


as A ee RE Er 1 


20 Per Page + 


Event 


EFI 
associatedContainersCount: 1 
associatedHostsCount: 1 
compliance: { [+] 
} 
created: 2021-05-12T11:34:56Z 
imageld: blee5de3d743 
instrumentationState: null 
instrumentedFrom: 44869d2070b0ff6c5led4b6d67a45e7f2c180ce0le37fc80458231a973f7c977 
isDockerHubOfficial: false 
isInstrumented: false 
lastComplianceScanDate: 1620986503576 
lastFoundOnHost: { [+] 
} 
lastVmScanDate: 1620934017496 
registryUuid: [ [+] 


1 

repo: [ [+] 

] 

repoDigests: [ [+] 
J 


scanErrorCode: null 

scanStatus: SUCCESS 

scanType: DYNAMIC 

sha: blee5de3d74316d16bf7116790685fe50800dcc8cdcSbfac33d668571123c7e0 
size: 440040442 

source: [ [+] 


Search Your Qualys Data 
View your Qualys Data in Splunk! 


> Search & Reporting 


Save As v Create Table View Close 
Last 24 hours + Ea 
Job + e & 4 @ Smart Mode v 


1 hour per column 
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Search Your Qualys Data 


View your Qualys Data in Splunk! 


Sample JSON query to search images with a specific vulnerability severity count 


eventtype="cs_image_info_event" vulnerabilities.severity2Count'="2" 


New Search 


=" 


eventtype= 


8 events (before 5/14/21 9:28:38.000 PM) No Event Sampling + 


Events (8) Patterns Statistics Visualization 


Format Timeline + — Zoom Out 
es | 

List v # Format 
< Hide Fields = All Fields i Time 

> 5/7/21 
SELECTED FIELDS 

10:05:37.000 AM 

a host 1 


a source 1 
a sourcetype 1 


INTERESTING FIELDS 

# associatedContainersCount 1 
# associatedHostsCount 1 

# compliance.errorCount 1 

# compliance failCount 1 

# compliance.passCount 1 

a created 8 

# date_hour 4 
# date_mday 4 
# date_minute 7 
a date_month 3 
# date_second 7 
a date_wday 3 
# date_year 2 
a date_zone 1 

a eventtype 1 

a imageld 8 

a index 1 

a instrumentationState 2 
a instrumentedFrom 1 

a isDockerHubOfficial 1 
a isinstrumented 2 


a lastComplianceScanDate 1 


cs_image_info_event" “vulnerabilities. severity2Count"="2" 


20 Per Page + 


Event 


CEI 
associatedContainersCount: @ 
associatedHostsCount: 0 
compliance: { [+] 

} 

created: 2021-03-28T12:48:26Z 
imageld: ©¢30ca8a339e7 
instrumentationState: null 
instrumentedFrom: null 
isDockerHubOfficial: false 
isInstrumented: false 
lastComplianceScanDate: null 
lastFoundOnHost: null 
lastVmScanDate: 1620381937362 
registryUuid: [ [+] 


] 

repo: [ [+] 

] 

repoDigests: [ [+] 
] 


scanErrorCode: null 
scanStatus: SUCCESS 
scanType: DYNAMIC 


a8a339e752F8 


sha: e30c 


size: 407404459 
source: [ [+] 

] 

type: IMAGE_INFO 


amima oss. cori ot ie dackarc 


11835ed8a4fea983927fe5efdba930b8eb83360e233304 


salauslucdomo/ronodis 
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> Search & Reporting 


Save As v Create Table View Close 
All time + E 
Job v 2 6 4 ? Smart Mode + 


1 month per column 


Search Your Qualys Data 
View your Qualys Data in Splunk! 


Sample JSON query to search vulnerabilities on running containers 


eventtype=qualys_cs_container_vuln [search eventtype=qualys_cs_container_ details 
state=RUNNING | dedup containerld | fields + containerld] 


Search 


New Search 


eventtype=qualys_cs_container_vuln 


Z 5,586 events (before 5/14/21 9:35:56.000 PM) 


Events (5,586) 


Formé 


at Timeline + 


< Hide Fields 


SELECTED FIELDS 


a host 1 


a source 1 


a sourcetype 1 


INTERE 


a auth 


STING FIELDS 
Typet} 1 


a category 6 


a cont 


ainerld 97 


# customerSeverity 5 


a cveids{} 100+ 


# date 


# date 
# date 


a date 


# date_ 


a date 
# date 
# date 


3info.baseScore 34 


cvssinfo.accessVector 4 


_hour 20 
_mday 20 
_minute 49 
_month 9 
second 51 
_wday 6 
_year 3 


_zone 1 


coveryTypel) 1 


tFound 100+ 
a index 1 
a lastFound 97 
# linecount 1 


a patchAvailable 2 


rt 


a rodut 100+ 


1 


nfo.baseScore 34 


nfotemporalScore 45 


Statistics 


List + 
= All Fields a || Time 
> 10/1/20 


6:58:45.000 PM 


fotemporalScore 47 


Visualization 


# Format 


[search eventtype=qualys_cs_container_details state=RUNNING | dedup containerld | fields + 


No Event Sampling + 


20 Per Page + 
Event 


{ [-] 
authType 


C C+] 


category: Debian 
containerId: ac0i5c95fle7 
customerSeverity: 3 
cveids: [ [+] 
evss3Info: { [+] 
} 

evssInfo: { [+] 
} 
discoveryType: [ [+] 


firstFound: 2020-10-01 


lastFound: 2 ð 
patchAvailable: true 
port: 

product: [ [+] 


ny 


null 


published: null 
qid: 
result: 


177338 


#table cols="3" 


risk: 30 


sha: acd e7b22df6ef315fff1b866d0243a1e76d47aaf2e8136e7ee 


software: [ [+] 


status: null 
supportedBy: [ [+] 


PE EE 


FFRI 


>> Search & Reporting 


Close 


@ Smart Mode + 


containerId] 


Job + 2 & i 


1 month per column 


83dc6 


You can use Debug option to view debug information for one or more data input 
parameters 


Debug 


Select one or more data input 


Types 


Conta 


iners X 


Images X 


Error X Warning X 


Info X 


Container Secutiry log 


> 


Time 


22/01/2019 
04:30:08.000 


22/01/2019 
04:30:08.000 


22/01/2019 
04:30:08.000 


22/01/2019 
04:30:08.000 


22/01/2019 
04:30:08.000 


22/01/2019 
04:30:08.000 


22/01/2019 
04:30:08.000 


Event 


host = 57f9cc193b7d 


host = 57f9cc193b7d 


host = 57f9cc193b7d 


host = 57f9cc193b7d 


Select one or more log Types 


TA-QualysCloudPlatform: 2019-01-22 04:30:08 PID=20984 [MainThread] 


TA-QualysCloudPlatform: 2019-01-22 04:30:08 PID=20984 [MainThread 


Select time range 


All time X Hide 


Debug X 


TA-QualysCloudPlatform: 2019-01-22 04:30:08 PID=20984 [MainThread] INFO: TA-QualysCloudPlatform 


source = /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log 


source = /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log 


TA-QualysCloudPlatform: 2019-01-22 04:30:08 PID=20984 [MainThread] INFO: TA-QualysCloudPlatform 


source = /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log 


source = /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log 


INFO: TA-QualysCloudPlatform 


INFO: TA-QualysCloudPlatform 


Edit 


Export v 


Filters 


(cs_container_vulns) - Qualys CS Container Populator finished. 


sourcetype = ta_QualysCloudPlatform-too_small 


(cs_container_vulns) - Total time taken to pull the data is 0:00:05.097241. 


sourcetype = ta_QualysCloudPlatform-too_small 


(cs_container_vulns) - Container Populator logged @ vulnerabilities. 


sourcetype = ta_QualysCloudPlatform-too_small 


(cs_container_vulns) - Container Populator logged @ containers. 


sourcetype = ta_QualysCloudPlatform-too_small 


TA-QualysCloudPlatform: 2019-01-22 04:30:08 PID=20984 [Thread-2] INFO: TA-QualysCloudPlatform (cs_container_vulns) - inbound queue exiting. 


I 


I 


host = 57f9cc193b7d 


TA-QualysCloudPlatform: 2019-01-22 04:30:08 PID=20984 


nost = 57f9cc193b7d 


source = /opt/splunk/var/log/splunk/ta 


source = /opt/splunk/var/log/splunk/ta 


QualysCloudPlatform.log 


QualysCloudPlatform.log 


sourcetype = ta_QualysCloudPlatform-too_small 


[Thread-2] INFO: TA-QualysCloudPlatform (cs_container_vulns) - inbound idsetQueue empty. 


sourcetype = ta_QualysCloudPlatform-too_small 


TA-QualysCloudPlatform: 2019-01-22 04:30:08 PID=20984 [Thread-1] INFO: TA-QualysCloudPlatform (cs_container_vulns) - inbound queue exiting. 


host = 57f9cc193b7d | source = /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log sourcetype = ta_QualysCloudPlatform-too_small 
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Search Your Qualys Data 
View your Qualys Data in Splunk! 


Search FIM Data for Events and Incidents 


FIM events, Ignored events and incidents ingested in splunk can be searched using their 
eventtype. Further, user can search them using SPL of desired filters. 


Here are some sample queries for searching FIM data in Splunk. 


Sample query to search for FIM events 
eventtype="qualys_fim_event” 


splunk App: Search & Reporting v 


Search Metrics Datasets Reports Alerts Dashboards 


New Sea rch Save As v Close 


Last 24 hours ¥ ja 


| eventtype="qualys_ fim_ event" 


552 events (6/24/19 3:30:00.000 PM to 6/25/19 4:08:37000 PM) No Event Sampling ¥ Job ¥ À BB 4 ? Smart Mode v 
Events (552) Patterns Statistics Visualization 


1 hour per column 


Format Timeline ¥ — Zoom Out 


List ¥ # Format 50 Per Page v [+ | 2 3 4 5 6 7 8 Next > 
< Hide Fields = All Fields = | US Event 
> 6/25/19 { [-] 


SELECTED FIELDS 
a host 1 
a source 1 


4:08:24.000 PM action: Rename 


actor: { [+] 


+ 
J 


Sample query to search for FIM ignored events 
eventtype="qualys_ignored_fim_event" 


splunk App: Search & Reporting v 


Search Metrics Datasets Reports Alerts Dashboards 


New Sea rch Save As ¥ Close 


Last 24 hours ¥ ja 


16 events (6/24/19 3:30:00.000 PM to 6/25/19 4:00:32.000 PM) 


Events (16) Patterns Statistics 


Format Timeline ¥ — Zoom Out 


Visualization 


No Event Sampling ¥ 


? Smart Mode v 


1 hour per column 


List ¥ # Format 50 Per Page v [+ | 2 3 5 8 Next > 
< Hide Fields = All Fields i Time Event 
> 6/25/19 Eis 


SELECTED FIELDS 
a host 1 
a source 1 


a coiurcetvne 1 


3:58:12.000 PM 


action: Delete 
actor: { [+] 
} 
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Sample query to search for FIM incidents 


eventtype="qualys_fim_incident 


splunk 


Search 


New Search 


| 
| | 


v 1 event (6/24/19 3:30:00.000 PM to 6/25/19 4:00:44.000 PM) 


Events (1) Patterns 


Format Timeline ¥ 


< Hide Fields 


SELECTED FIELDS 
a host 1 

a source 1 

a sourcetype 1 


INTERESTING FIELDS 

a approvalDate 1 

a approvalStatus 1 

a approvalType 1 

a assignDate 1 

a changeType 1 

a comment 1 

# createdBy.date 1 

1 createdBy.user.id 1 

a createdBy.user.name 1 


a 


a customerld 1 


n 


a deleted 1 

a dispositionCategory 1 
a eventtype 1 

a filterFromDate 1 

a filters{} 1 

a filterToDate 1 

a id 1 

a index 1 


it lastlincioteciBi cote. 1 


eventtype="qualys_ 


App: Search & Reporting v 


Alerts 


Reports 


fim_incident" 


No Event Sampling v 


Statistics Visualization 


— Zoom Out 
List ¥ # Format 50 Per Page ¥ [1] 2 
= All Fields i Time Event 
> 6/25/19 ti] 
3:58:14.000 PM approvalDate: 2019-03-29114:58:13.376+0000 


approvalStatus: UNAPPROVED 

approvalType: MANUAL 

assignDate: 2019-03-29T14:55:45,133+0000 
changeType: MANUAL 

comment : 


} 
customer Id: 
deleted: false 
dispositionCategory: PATCHING 


Search Your Qualys Data 
View your Qualys Data in Splunk! 


Close 


Last 24 hours ¥ Fe 


Save As ¥ 


> @& 4 ? Smart Mode v 
1 hour per column 
3 4 5 6 7 8 Next > 


a6df6808-8c45-eb8c-e040-10ac13041e17 


filterFromDate: 2019-02-01T05:00:00.000+0000 
filterToDate: 2019-03-01T04:59:59.999+0000 
filters: [ [+] 

] 

id: e4ffcac4-c75b-46aa-8eac-fcd260bf286d 
lastUpdatedBy: { [+] 

} 

marked: true 


markupStatus: COMPLETED 


name: Services.exe Incident 
reviewers: [ [+] 
] 


splunk_event_type: FIM_INCIDENT 
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Search EDR Data 


Search Your Qualys Data 
View your Qualys Data in Splunk! 


You can search for specific EDR events that TA has pulled in Splunk from your Qualys 
account. Use eventtype="qualys_edr_event" or create your own SPL search query to filter 


the data. 


[@ Qualys EDR App for Splunk Enterprise 


New Search 


eventtype=qualys_edr_event 


Z 1,410 events (7/11/21 10:30:00.000 PM to 7/12/21 10:43:46.000 PM) 


Events (1,410) Patterns Statistics Visualization 
Format Timeline + — Zoom Out 


List v # Format 
< Hide Fields := All Fields i Time 
> 712/21 


SELECTED FIELDS 

10:30:32.000 PM 
a host 1 
a source 1 


a sourcetype 1 


INTERESTING FIELDS 

a action 3 

a asset.agentid 5 

a asset.customerld 1 

a assetfullOSName 4 

a asset.hostName 5 

a asset.interfaces{}.gatewayAddress 3 
a asset.interfaces{)interfaceName 2 
a asset.interfaces{}ipAddress 4 

a asset.interfaces{}macAddress 4 

a asset. netBiosName 4 

a asset.platform 2 

a assettags{}.name 4 

a asset.tags{}.uuid 4 > 
# date_hour 24 

# date_mday 2 


7/12/21 
10:30:00.000 PM 


# date_minute 51 
a date_month 1 
# date_second 60 


adata widias 2 


Save As ¥ 


No Event Sampling v Job v eo È 4 


20 Per Page v 


Event 


fie 
action: RUNNING 
asset: { [+] 
} 
dateTime: 2021-07-12T17:00:32Z 
eventProcessedTime: 2021-07-12T10:01:27.029+0000 
eventSource: EDR 
id: RTP_bf251cb4-a890-36a5-ad79-acbce2aa6f59_12-7-2021 
indicator2: [ [+] 
J 
process: { [+] 
} 
score: 0 
type: PROCESS 
uniqueld: -7225191502821911881 
} 
Show as raw text 


host = $decideOnStartup source = qualys sourcetype = qualys:edr:event 


CEI 
action: RUNNING 
asset: { [+] 
} 
dateTime: 2021-07-12T17:00:00Z 
eventProcessedTime: 2021-07-12110:00:26.748+0000 
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Create Table View 


Last 24 hours ¥ a 


Close 


? Smart Mode v 


1 hour per column 


Next > 


Search Your Qualys Data 
View your Qualys Data in Splunk! 


Search Activity Log Data 


You can search for specific Activity Log events that TA has pulled in Splunk from your 
Qualys account. Use eventtype="qualys activity log event” or create your own SPL search 
query to filter the data. 


splunk App: Search & Reporting v 
Search Analytics Datasets Reports Alerts Dashboards 
1 
New Search 
eventtype="qualys_ activity _log_event" + 
z 13 events (before 7/16/20 12:32:30.000 PM) No Event Sampling v f 
7 
Events (13) Patterns Statistics Visualization F 
A 
Format Timeline v — Zoom Out 
A 
< 


= 8 events at 6 PM on Tuesday, July 14, 2020 


List ¥ # Format 50 Per Page + 
f 
< Hide Fields = All Fields i Time Event | 
> 7/15/20 { C-] 
SELECTED FIELDS 
10:59:16.000 AM Action: login 4 
l 1 
z host | Date: 2020-07-15T05: 29: 16Z Fe 
a source | Details: API: /msp/about.php d 
a sourcetype Module: auth L 
User IP: 103.216.98.78 4 
INTERESTING FIELDS 
a | User Name: quays_qb59 € 
a Action « User Role: Reader 
a Date 13 \ f 
# date_hour 2 Show as raw text 
# date_mday 2 | € 
ns st = localhost.localdomain urce = qualys ourcetype qualys:activityLog 1 
+ Á 4 
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Search Your Qualys Data 
View your Qualys Data in Splunk! 


Search Secure Enterprise Mobility Data 


You can search for specific Secure Enterprise Mobility (SEM) events that TA has pulled in 
Splunk from your Qualys account. Use eventtype="“qualys_sem_asset_summary_event” to 
fetch the asset information and eventtype="qualys_sem_detection_event” to fetch the 
asset detection information. You can create your own SPL search query to filter the data. 


The Sample search shows asset information for asset summary event. 


splunk App: Search & Reporting v 
Search Analytics Datasets Reports Alerts Dashboards > Search & Reporting 
New Sea rch Save As ¥ Close 
eventtype="qualys_sem_asset_summary_event" All time ¥ E 
v 8 events (before 10/26/21 7:55:05.000 AM) No Event Sampling ¥ Job» a A l 5 Verbose Mode » 
Events (8) Patterns Statistics Visualization 
Format Timeline + — Zoom Out 1 hour per column 
= a 
List ¥ 4 Format 20 Per Page v 
< Hide Fields = All Fields i Time Event 
> 10/25/21 <ASSET><ID>2959</ ASSET_FRIENDLY_NAME>sahirrao_IPhone_8_9_2021_10_46_AM_i0S_Apple</ASSET_FRIENDLY_NAME><0S>i10S</0S><0 </OS_VERSION><A <LAST_SEEN>2021-10-05 
SELECTED FIELDS 
t 6:47:13.000 AM / 0 SSHIP>Corporate - Owned</OWNERSHIP><MODEL_NAME>iPhone 12</MODEL_NAME><MODEL_NUMBER>i ntegration.« 
host 1 
‘ ></ASSET> 
a index 1 
# linecount 1 host = $decideOnStartup index = main linecount = 1 punct = <><>< [><> PP | >_-_</><>. source = qualys sourcetype = qualys:sem:asset_summary splunk_server = bcsauto 
a punct 6 > 10/25/21 a0_IPhone_6_21_2021_11_30_AM_i0S_Apple</ASSET_FRIENDLY_NAME><OS>i0S</0S><0S_VERSION>12.5.4</OS_VERSION><ASSET_STATUS>Enrol led</ASSET_STATUS><LAST_SEEN>2021-10 


a source 1 


6:47:13.000 AM — Owned</OWNERSHIP><MODEL_NAME>iPhone 6</MODEL_NAME><MODEL_NUMBER>iPhone 6</MODEL_NUMBER><MANUFACTURER>Apple</MANUFACTURER><USERNAME>Sahirrao@qualysintegration. 


a sourcetype 1 
a splunk_server 1 


unt = 1 | punct = <><></><></><></><>.,</><><[><>--_1</P>_-_<PO source = qualys : sourcetype = qualys:sem:asset_summary : splunk_server = bcsauto 


INTERESTING FIELDS > 10/25/21 <ASSET><ID>2957</ID><ASSET_FRIENDLY_NAME>sahirrao_AndroidForWork_8_3_2021_12_29_PM_Android_Google</ASSET_FRIENDLY_NAME><0S>Androi ><0S_VERSION>10</0S_VERSION: T >Enrolled</ASSET_STATUS><LAST_ 
a eventtype 1 6:47:13.000 AM  SEEN>2021-10-05 09:31:43</LAST_SEEN><OWNERSHIP>Corporate - Owned</OWNERSHIP><MODEL_NAME>Pixel 2</MODEL_NAME><MODEL_NUMBER>Pixel 2</MODEL_NUMBER><MANUFACTURER>Goog le</MANUFACTURER><USERNAME>Sahirrao@qualysi 
a timestamp 1 ntegration.onmicrosoft.com</USERNAME></ASSET> 

host = $decideOnStartup index = main linecount = 1 punct = <<< <<< <> <> - <I> _<| source = qualys sourcetype = qualys:sem:asset_ summary splunk_server = bcsauto 


+ Extract New Fields 
ERSION>9</0S_VERSION><ASSET_STATUS>Enrolled</ASSET_STATUS><LAST_S 
\x89\x88</MODEL_NAME><MODEL_NUMBER>LLD-AL 10</MODEL_NUMBER><MANUFA 


> 10/25/21 <ASSET><ID>2956</ID><ASSET_FRIENDLY_NAME>sahirrao_AndroidForWork_7_30_2021_4_09_AM_Android_HUAWEI</ASSET_FRIENDLY_NAME><0S>Android</ 
6:47:13.000 AM EEN>2021-10-05 09:31:43</LAST_SEEN><OWNERSHIP>Corporate - Owned</OWNERSHIP><MODEL_NAME>\ \ 
CTURER>HUAWEI</MANUFACTURER><USERNAME>sahirrao@qualysintegration.onmicrosoft.com</USERNAME> 


a3\xe8\x80\x809\xe9\x9d\x92\xe6\x98 


host = $decideOnStartup index = main linecount = 1 punct = <><></><></><></><>< [Pod >> >> _- </>S\\ source = qualys sourcetype = qualys:sem:asset_ summary splunk_server = bcsauto 


> 10/25/21 <ASSET><ID>2929</ ID><ASSET_FRIENDLY_NAME>sahirrao_IPhone_8_5_2021_5_18_. yple</ASSET_FRIENDLY_NAME><OS> <0S_VERSION>14.1</0S_ SSET_STATUS>Enrolle SET_STATU T_SEEN>2021-10-05 
6:47:13.000 AM HIP>Employee - Owned</OWNERSHIP><MODEL_NAME>iPh 2</MODEL_NAME><MODEL_NUMBER>iPhone 12</MODEL_NUMBER><MANUFACTURE! pple</MANUFACTURER><USERNAME>sahirrao@qualysintegration.onm 


Search Policy Compliance Reporting Service Data 


You can search for specific Policy Compliance Reporting Service (PCRS) events that TA has 
pulled in Splunk from your Qualys account. Use 
eventtype="qualys_pcrs_posture_info_event” to fetch the number of posture events, 
eventtype="qualys_pcrs_policy_info_event” to fetch the policy information and 
eventtype="qualys_pcrs_policy_ summary” to fetch the policy summary. You can create 
your own SPL search query to filter the data. 


46 


Search Your Qualys Data 
View your Qualys Data in Splunk! 


The sample search shows posture info event. 


splunk Apps te MES etti He Find 


Search Analytics Datasets Reports Alerts Dashboards > Search & Reporting 


New Sea rch Save As ¥ Create Table View Close 


eventtype="qualys_pcrs_posture_info_event" All time v 


v 33,325,338 events (before 2/21/22 10:46:37.000 AM) No Event Sampling v Job + À 8 4 € Smart Mode v 


Events (33,325,338) Patterns Statistics Visualization 


1 hour per column 


Format Timeline v — Zoom Out 
mel 2,575,315 events at 4 PM on Friday, February 18, 2022 

| > _ a ————————————— 

List v f Format 20 Per Page v [+ | 2 3 4 5 6 7 8 Next > 
< Hide Fields := All Fields i Time Event 

> 2/19/22 ae Hl | 
SELECTED FIELDS 

12:57:29.000 AM assetId: 0 
a host 1 Í 
causeOfFailure: null 

a source 1 


complianceLastScanDate: 2021-05-16118:01:33Z 
controlld: 8325 
controlReference: null 


a sourcetype 1 


INTERESTING FIELDS 


# assetid 100+ 
état COOFE inro 1 ali 


controlStatement: Status of the 'suid' files, ownership, permissions and programs on the host 
created: 2022-02-18T19:27:12Z v 


The sample search shows policy info event. 


New Search Save As ¥ Create Table View Close 
eventtype="qualys_pcrs_policy_info_event" All time ¥ B 
¥ 646 events (before 3/9/22 2:00:37.000 PM) No Event Sampling ¥ Job » ad Š 4 5 Verbose Mode » 
Events (646) Patterns Statistics Visualization 
Format Timeline ¥ — Zoom Out eae oleae 


List v # Format 50 Per Page v [+] 2 3 4 5 6 7 8 Next > 
< Hide Fields := All Fields A ne Ber 
> 3/8/22 EC] 
SELECTED FIELDS 
listi 1:56:43.000 PM createdBy: quays_st31 
a hosi 
createdDate: 2018-10-22T23:06:28Z 
a source 1 bi da 
1 id: 20178 
a sourcetype 
yP lastEvaluatedDate: 2018-10-22T23:06:28Z 
locked: 0 


INTERESTING FIELDS is g 
modifiedBy: quays_st31 


modifiedDate: 2018-10-227T23:06:28Z 
status: inactive 
title: Policy_import_xml_UDC_Large_2018_10_22_16_05_30 


a createdBy 2 

a createdDate 100+ 
# date_hour 14 

# date_mday 16 

# date_minute 60 
a date month 9 


} 
Show as raw text 


E data second 60 host = $decideOnStartup source = qualys sourcetype = qualys:pcrs:policyinfo 
a date_wday 6 > 3/8/22 CEJ 
# date_year 4 1:56:43.000 PM createdBy: quays_st31 
# date_zone 1 createdDate: 2018-10-22123:06:06Z 
a eventtype 1 id: 20158 
# id 100+ lastEvaluatedDate: 2018-10-22123:06:06Z 
a index 1 locked: 0 
a lastEvaluatedDate 100+ modifiedBy: quays_st31 
# linecount 1 modifiedDate: 2018-10-22T23:06:06Z 
# locked 1 status: inactive 
| a modifiedBv 2 hi nine Dalin immnns ml Une medium DNID 40 AN 47 AE 20 za 
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The sample search shows policy summary. 


New Search 


Search Your Qualys Data 
View your Qualys Data in Splunk! 


Save As v Create Table View Close 


eventtype="qualys_pcrs_policy_summary" 


All time + EJ 


v 2 events (before 3/9/22 1:35:14.000 PM) No Event Sampling v 


Events (2) Patterns Statistics Visualization 


Format Timeline + — Zoom Out + Zoom to Selection 


List v # Format 


< Hide Fields = All Fields 


SELECTED FIELDS 
a host 1 

a source 1 

a sourcetype 1 


INTERESTING FIELDS 
a eventtype 1 

# FAILED 2 

a index 1 

# linecount 1 

# NUMBER_OF_CONTROLS 2 
# PASSED 2 

# POLICY_ID 2 

a punct 1 

a splunk_ server 1 
a timestamp 1 


+ Extract New Fields 


Time 


3/9/22 
12:53:37.000 PM 


3/9/22 
12:53:37.000 PM 


x Deselect 


20 Per Page v 


Event 


EEJ 
FAILED: 73392 
NUMBER_OF_CONTROLS: 441881 
PASSED: 368489 
POLICY_ID: 95473 

} 


Show as raw text 


host = $decideOnStartup source = qualys sourcetype = qualys:pcrs:policy_summary 


tE 
FAILED: 24432 
NUMBER_OF_CONTROLS: 147101 
PASSED: 122669 
POLICY_ID: 92474 

3 


Show as raw text 


host = $decideOnStartup source = qualys sourcetype = qualys:pcrs:policy_summary 
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2 6 4 ? Smart Mode v 


1 millisecond per column 


Event Types for Searching your Apps Data 


Event Types for Searching your Apps Data 


Here is the list of default event types for Qualys Apps. You can use these event types when 
searching your Apps data in Splunk. 


Note - If the customer has used custom index then replace {INDEX_NAME} with custom 
index name else replace with main. 

Event types for VM Detection data 

1) Event Type Name - qualys_vm_detection_event 


Search Query - index={INDEX_NAME]} (sourcetype='qualys:hostDetection" OR 
sourcetype= qualys_vm_detection") "HOSTVULN" 


2) Event Type Name - qualys_host_summary_event 

Search Query - index={INDEX_NAME} (sourcetype='qualys:hostDetection" OR 
sourcetype= qualys_vm_detection") "HOSTSUMMARY" 

Event types for WAS Findings data 

1) Event Type Name - qualys_was_finding_event 

Search Query - index={INDEX_NAME} sourcetype="qualys:wasFindings" “WAS_FINDING’ 
2) Event Type Name - qualys_was_summaryÿ_event 


Search Query - index={INDEX_NAME} sourcetype= qualys:wasFindings “WAS_SUMMARY" 


Event types for Policy Compliance data 

1) Event Type Name - qualys_policy_info_event 

Search Query - index={INDEX_NAME} sourcetype="qualys:pc:policyInfo" “POLICY_INFO" 
2) Event Type Name - qualys_posture_info_event 


Search Query - index={INDEX_NAME} sourcetype= qualys:pc:postureInfo" 
POS LURE. INFO” 


3) Event Type Name - qualys_policy_summary_event 

Search Query - index={INDEX_NAME} sourcetype= qualys:pc:postureInfo" 
“POLICY_SUMMARY" 

Event types for container Security data for images 

1) Event Type Name - cs_image_info_event 

Search Query - index={INDEX_NAME} sourcetype="qualys:cs:csimageinfo" "IMAGE_INFO" 
2) Event Type Name - cs_vuln_info_event 


Search Query - index={INDEX_NAME} sourcetype='qualys:cs:csimagevulninfo" 
“VULN_INFO" 
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Event Types for Searching your Apps Data 


3) Event Type Name - cs_vuln_summary_event 

Search Query - index={INDEX_NAME} sourcetype='qualys:cs:csimagevulninfo" 
“VULN_SUMMARY" 

Event types for Container Security data for containers 

1) Event Type Name - qualys_cs_container_details 


Search Query - index={INDEX_NAME} sourcetype='qualys:cs:container’ 
“CONTAINER_DETAILS" 


2) Event Type Name - qualys_cs_container_vuln 


Search Query - index={INDEX_NAME} sourcetype= qualys:cs:containerVuln" 
type=CONTAINER_VULN 


3) Event Type Name - qualys_cs_container_vuln_summary 

Search Query - index={INDEX_NAME} sourcetype= qualys:cs:containerVuln’ 
type=CONTAINER_VULN_SUMMARY 

Event types for FIM data for events, ignored events, and incidents 
1) Event Type Name - qualys_fim_event 


Search Query - index={INDEX_NAME} sourcetype="qualys:fim:event 
splunk_event_type=FIM_EVENT 


2) Event Type Name - qualys_ignored_fim_event 


Search Query - index={INDEX_NAME} sourcetype= qualys:fim:1gnored_event’ 
splunk_event_type=FIM_IGNORED_EVENT 


3) Event Type Name - qualys_fim_incident 


Search Query - index={INDEX_NAME} sourcetype='qualys:fim:incident 
splunk_event_type=FIM_INCIDENT 


Event types for Endpoint Detection and Response data 
Event Type Name - qualys_edr_event 
Search Query - index={INDEX_NAME} source="qualys" 


sourcetype= qualys:loc:ioceventinfo’ OR sourcetype= qualys:edr:event™ 


Event types for Activity log data 
Event Type Name - qualys_activity_log_ event 


Search Query - index={INDEX_NAME} sourcetype= qualys:activityLog’ 
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Event Types for Searching your Apps Data 


Event types for Secure Enterprise Mobility 

1) Event Type Name - qualys_sem_asset_summary_event 

Search Query - index={INDEX_NAME} sourcetype="qualys:sem:asset_ summary" 
2)Event Type Name - qualys_sem_detection_event 


Search Query - index={INDEX_NAME} sourcetype= qualys:sem:detection" 


Event types for Policy Compliance Reporting Service 

1) Event Type Name - gualys_pcrs_policy_info_event 

Search Query - index={INDEX_NAME} sourcetype= qualys:pcrs:policyinfo" 

2) Event Type Name - qualys_pcrs_policy_summary 

Search Query - index={INDEX_NAME} sourcetype= qualys:pcrs:policy_summary 
3) Event Type Name - qualys_pcrs_posture_info_event 


Search Query - index={INDEX_NAME} sourcetype= qualys:pcrs:postureinfo" 


sul 


APP Management 
App Management & Troubleshooting 


App Management & Troubleshooting 


APP Management 


How to remove the app 

1) Stop Qualys App for Splunk Enterprise: 
$SPLUNK_HOME/bin/splunk stop 

2) Remove Qualys App for Splunk Enterprise: 


$SPLUNK_HOME/bin/splunk remove app TA-QualysCloudPlatform -auth 
username:password 


Note: To remove the TA app from Splunk cloud, raise a ticket with Splunk Support. 


Utility script to clean up left-over XML and PID files 


You ll sometimes see orphan XML files in the TA-DIR/tmp directory when TA has errors, 
for example while calling the API, getting the response stream or parsing the API response. 
While running the utility, you can provide command line options to specify data input(s) 
for the XML files to be cleaned up. The utility will delete all the XML files related to the 
chosen data input(s), except those belonging to currently running TA processes. 


Example 1: Help: Use the below command to understand how utility script can be used for 
specific data inputs 


my-user@my-host:$SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform# 
$SPLUNK_HOME/bin/splunk cmd python ./bin/cleanup.py --help 


Example 2: Delete Host Detection and WAS Findings XML 


my-user@my-host:$SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform# 
$SPLUNK_HOME/bin/splunk cmd python ./bin/cleanup.py --hd --was 


Example 3: Delete XML files belonging to all data inputs 


my-user@my-host:$SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform# 
$SPLUNK_HOME/bin/splunk cmd python ./bin/cleanup.py --all 
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APP Management 
App Management & Troubleshooting 


Know important file paths in Splunk 


File Path 

Index $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/default/eventtype.conf 
KB lookup $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/lookups/qualys_kb.csv 
API Credential $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/local/passwords.conf 
Qualys TA $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/local/qualys.conf 
Configuration 

Qualys TAlog $SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log 

Check point $SPLUNK_HOME/var/lib/splunk/modinputs/qualys 


se 


Troubleshooting 
App Management & Troubleshooting 


Troubleshooting 


Looking for logs? 
Qualys logs are populated in Splunk’s index “_internal”. Use this search to find logs: 


index=_internal source="$SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log" 


Troubleshooting the setup 
- Be sure to enter the proper API Server URL for the configuration. 


- Verify you can reach the API from the Splunk Search Head where you installed Qualys 
App for Splunk Enterpnise (no firewall or other infrastructure). 


- Be sure the Qualys user account you re using to connect has API access. Edit the user 
account in the Qualys UI and select the API access check box in the user settings. Don't 
see this option? Reach out to Qualys Support or your Technical Account Manager. 


Check that API calls are being made 
In the Splunk setup where failing account is used, run the following search to see if API 
calls are being made to Qualys APIs: 


index=_internal source="$SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log" 
("/api/2.0/fo/asset/host/vm/detection/" OR "/api/2.0/fo/knowledge_base/vuln/" OR 
‘/ap1/2.0/fo/compliance/posture/inio/" OR "/qps/rest/3.0/search/was/finding’) 

Check that data feed is enabled 

If you don't see any entry for the API call, then check that the data input was added and 
enabled. 

- If not enabled, please enable it. 


- If enabled, and you still don t see any records for the API call, please check the TA 
installation directory. If you find the host_detection.pid file in the installation directory, 
delete it. 


Note that you should see entries for the /api/2.0/fo/knowledge_base/vuln/ API call. 


Check error logs 

If everything is fine (inputs added and enabled; API calls are made) and you still don't 
have data, please check “_internal” index for errors logged for TA-QualysCloudPlatform. 
Run the following search and provide error logs to Qualys Support: 


index=_internal source="$SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log" 
ERROR: 


Delete the checkpoint file and pull the data again for a Qualys module 


Navigate to $SPLUNK_HOME/var/lib/splunk/modinputs/qualys/. Delete the checkpoint file 
of the desired module. For example, Delete ‘host_detection' file for module Host Detection 
and initiate the pull once again. TA will now pull the data from the date configured in 
Data Input Settings for the respective Qualys module. 
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Troubleshooting 
App Management & Troubleshooting 


qualys.py is running even after the data input is disabled or Splunk is restarted 


This issue is seen mostly on Ubuntu OS, that has default shell set to ‘dash’. To fix this 
issue, set the default shell from ‘dash’ to ‘bash’. 


Steps to change the Ubuntu configuration: 

1) ~# debconf-show dash 

* dash/sh: true 

2) ~# debconf-set-selections <<< "dash dash/sh string false” 
3) -# debconf-show dash 

* dash/sh: false 

4) ~# dpkg-reconfigure -f noninteractive dash 

Removing diversion of /bin/sh to /bin/sh.distrib by dash’ 
Adding ‘diversion of /bin/sh to /bin/sh.distrib by bash 


Removing ‘diversion of /usr/share/man/man1/sh.1.gz to 
/usr/share/man/man1/sh.distrib.1.gz by dash’ 


Adding ‘diversion of /usr/share/man/man1/sh.1.gz to 
/usr/share/man/man1/sh.distrib.1.gz by bash' 


5) -# debconf-show dash 

* dash/sh: false 

How to switch python interpreter for Python3? 

1) Goto the path - $SPLUNK_HOME/etc/system/local/server.conf 
2) Add the python.version=python3 under [general]. 


[general] 
serverName = .localdomain 


pass4SymmKey = $/7$2Z03cCfEXoKvcETwaVM2FccRz6Wge4vUYOMEuycaGvZWzibplig2rt2w== 
python.version = python3 


3) Restart the Splunk. 

Blank dashboard for the KnowledgeBase data 

Perform these steps to identify and troubleshoot the issue: 

- Check whether the correct index is used in the SPL added for the scheduled saved search. 


- In case you disabled indexing after enabling it earlier, then check whether the scheduled 
saved search is also disabled as it is running for the index in which data is not updated. 


- Go to the Settings > Lookups > Lookup table files and on the Lookup table files page 
select “All” from the App drop-down field. Check qualys_kb.csv is generated for which app. 
On enabling the indexing, the file should be present for ‘search’ app and on disabling the 
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App Management & Troubleshooting 


indexing, the file should be present for "TA-QualysCloudPlatform’' app. If qualys_kb.csv is 
present for any other app, then you should delete the file for that app else you may get to 
see blank KnowledgeBase dashboard. 


URL to the Qualys API Server 


The Qualys API URL you should use for API requests depends on the Qualys platform 
where your account is located. 


Click here to identify your Qualys platform and get the API URL. 


You can easily find the API server URL for your account. Log in to your Qualys account and 
go to Help > About. You'll see this information under Security Operations Center (SOC). 


About 


Identified Services 


Identified OS 


Additional References 


Qualys Web Service 
Application Version: 

Online Help Version: 

SCAP Module Version: 
Qualys External Scanners 


Security Operations Center (SOC): 


Scanner Version: 

Vulnerability Signature Version: 
Scanner Services 

Qualys Scanner Appliances 


Security Operations Center (SOC): 
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Launch Help (Al x 


8.9.0.2-2 
8.9.29-1 
1.2 


64.39.96.0/20 (64.39.96.1-64.39.111.254) 
9.0.29-1 

2.3.492-2 

3.0.12-1 


- qualysguard.qualys.com:443 


- dist01.sjdc01.qualys.com:443 

- nochost.sjdc01.qualys.com:443 
- scanservice1.qualys.com:443 

- all in 64.39.96.0/20 


What's New 


What’s New 


New Feature in 1.10.2 
The new release comes with improvements in logging and minor enhancements in utility 
script. 


New Feature in 1.10.1 


Integration of the Qualys Policy Compliance Reporting Service with Splunk TA 


We have now integrated Qualys Policy Compliance Reporting Service (PCRS) with Splunk 
TA. You can now configure the TA app to fetch your PCRS data from your Qualys account. 


The PC APIs also pull the posture data, but due to hindrances such as CPU usage, memory 


consumption, and time consumption to pull the complete information, we introduced 
PCRS for TA apps. 


PCRS improves the data fetching of the huge data on the Qualys Cloud. Fetching data in 
PCRS is quicker for the accounts with millions of assets and postures. 


PCRS fetches data continuously in the following manner: 


1) Once you enable the data input, it will first pull the number of Policy IDs to the 
subscription ID. 


2) Divides the Policy IDs into threads and starts pulling the associated hosts. 
3) Calls the posture data for all the hosts associated to the policy IDs. 


We added a new Policy Compliance Reporting Service Settings section on the TA setup 
page where you can specify: 


- Add additional field evidence 
- Add the number of policy Ids that can be used in Resolve Host Id API. 


For more details, refer to Policy Compliance Reporting Service Settings section. 


Policy Compliance Reporting Service Settings w 


[] Add additional field evidence 


Number of Policy Ids to use for 
Resolve Host lds API (max 10) 


À 
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We also added a new Qualys Metrics “pcrs_posture_info” that you can use to create a corn 
job to pull your PCRS data. 


splunk Apps ¥ Administrator v 2) Messages v Settings v Activity ¥ Help v» Find 
Select Source Done 


Files & Directories 


Upload a file, index a local file, or monitor an entire directory. 


Qualys Metrics * knowledge_base v 
HTTP Event Collector knowledge_base 
Configure tokens that clients can use to send data over HTTP or Cron entry or host_detection 
HTTPS. Interval | was_findings 


policy_posture_info 
cs_image_vulns 


TCP / UDP s 
: | cs_container_vulns 
Configure the Splunk platform to listen on a network port. ; 
fim_events 
fim_ignored_events 
Scripts fim_incidents 
Get data from any API, service, or database with a script. edr_events 


Systemd Journald Input for Splunk 


This is the input that gets data from journald (systemd's logging 


component) into Splunk. 


Start Date 
Qualys Technology Add-On For fim_events, fim_ignored_events, and fim_incidents Qualys 
Add-On for Qualys Metrics - date to start data pull from should be in UTC in ISO 8601 
format: "YYYY-MM-DDThh:mm:ss.msZ". Ex: 2017-01- 
01T00:00:00.000Z 


New Feature in 1.9.0 


Integration of the Qualys Secure Enterprise Mobility with Splunk TA 


With this release, we integrated Qualys Secure Enterprise Mobility (SEM) with Splunk TA. 
You can now configure TA app to fetch your SEM data from your Qualys account. 


On the TA setup page, we added a new Security Enterprise Mobility Settings section where 
you can specify: 1) the SEM data that you want to fetch from your account, 2) the number 
of records that you want to fetch per API request, and 3) extra params, if any. See Secure 
Enterprise Mobility Settings. 


Secure Enterprise Mobility Settings v 


Log Individual Asset Detections 


Log Asset Summary events 


Number of SEM records per API 1000 
request 


Extra parameters to SEM API 


Enter as URL Query (e.g. a=1&b=string). Following parameters are NOT allowed: action, 
detection_updated_since, detection_updated_before, truncation_limit 
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We also added a new Qualys Metrics “sem_detection” that you can use to create a corn job 
to pull your SEM data. The start date for Qualys Metrics should be in “YYYY-MM- 
DDThh:mm:ssZ” and cannot be less than the default date “2021-01-26T00:00:00Z”. 


Administrator Y 


Add Data @ < Back Next > 


Select Source Done 


Files & Directories 


Upload a file, index a local file, or monitor an entire directory 
Qualys Metrics * knowledge_base 
HTTP Event Collector knowledge_base 
Configure tokens that clients can use to send data over HTTP or Cron entry or host detection 
HTTPS Interval was_findings 
policy_posture_info 
image_vulns 
TCP / UDP cs_imé ge vulns 
- n cs_container_vulns 
Configure the Splunk platform to listen on a network port : 
fim_events 
fim_ignored_events 
Scripts fim_incidents 
Get data from any API, service, or database with a script edr_events 
activity_log 
Systemd Journald Input for Splunk sem_detection 
This is the input that gets data from journald (systemd's logging 
component) into Splunk 


Start Date 


Qualys Technology Add-On For fim_events, fim_ignored_events, and fim_incidents Qualys 
Add-On for Qualys Metrics - date to start data pull from should be in UTC in ISO 8601 
format: "YYYY-MM-DDThh:mmiss.msZ". Ex: 2017-01- 


01T00:00:00.0002Z 


Splunk Secure Gateway 


= Š 5 For sem_detection Qualys Metrics - date to start data pull from 
station S E dc) LL should be in UTC in ISO 8601 format: "YYYY-MM-DDThh:mm:ssZ’ 
its over websockets Default value is "2021-01-26T00:00:002". 
For other Qualys Metrics - date to start data pull from should be in 
Splunk Secure Gateway Mobile Alerts TTL UTC in ISO 8601 format: "YYYY-MM-DDThh:mm:ssZ”. Default value 
Cleans up storage of old mobile alerts is "1999-01-01T00:00:002". 


View Diagnosis, Consequence, and Solution information in KB data in Splunk 


We added a new check box in the KnowledgeBase Settings section on the TA setup page. 
When you select this check box, TA will fetch the Diagnosis, Consequence, and Solution 
information in the Splunk along with the other KB data. When you search for the KB data 
in Splunk, the new Diagnosis, Consequence, and Solution columns will show the 
information in the respective columns. 


Knowledge Base Settings x 


Log additional fields (SOLUTION, CONSEQUENCE, DIAGNOSIS) 
C] Index the knowledge base. CSV lookup file will NOT be created. 


Note: This feature is helpful if you are using distributed setup. 


Improvements in 1.8.9 


Indication of Compromise (IOC) App rebranded as Endpoint Detection and Response 
(EDR) 


With this release, Indication of Compromise (IOC) App will be known as Endpoint 
Detection and Response (EDR) in Qualys TA. Because of this change, we replaced all the 
instances of IOC on TA UI (labels, IOC data input), log messages with EDR. 


What's New 


If you are using IOC data input and choose to upgrade to TA 1.8.9, we will show you a 
warning message in the TA log for IOC data input. The warning message will inform that 
IOC data input is deprecated and you need to manually configure the EDR data input from 
the Splunk UI. 


If you are using IOC data input and if you enable the new EDR data input, we check if IOC 
data checkpoint is available or not. After the check, If we find IOC checkpoint file and do 
not find EDR check point file then TA will rename the IOC checkpoint file to the EDR 
checkpoint file and consider IOC checkpoint as the start date to fetch the data for the EDR 
data input. 


If both the IOC and EDR checkpoint is available then TA will fetch the data from the EDR 
checkpoint file and ignore the IOC checkpoint file. 


We removed the event types of IOC data input. The new event type name for EDR data 
input is ‘qualys_edr_event’. For backward compatibility that is to make the older IOC data 
available in Splunk along with the EDR data, we have merged the IOC and EDR source 
types into a EDR event type. When you use the EDR event type, we will fetch older IOC 
data for IOC data input and latest EDR data for EDR data input. 


Note 

As IOC App is deprecated, you need to manually add EDR and remove the IOC data input. 
Issues Fixed 

TA setup changes for Qualys API credentials 


We had an issue where the users using multiple technology add ons of different 
organizations were unable to configure username and password from the TA setup page. 


We fixed this issue by setting TA-QualysCloudPlatform-Api as realm name for Qualys API 
credentials in the passwords.conf file. 


The realm name was not set in previous releases. Now you can update the username and 
password from the TA setup page only if the user with "TA-QualysCloudPlatform-Apt' 
realm name exists in the passwords.conf file. 


Note that this means if you are upgrading to TA 1.8.9, you have to again manually 
enter Qualys API credentials after the upgrade otherwise you wont be able to access 
the Qualys API server. Before entering the credentials, we recommend you to empty 
the cache of your browser and do a hard reload. 


We will create a new entry for the username with the realm name in the passwords.conf 
file. This user name with realm name will be used to fetch data from your Qualys account. 


Add milliseconds in checkpoint file for FIM data inputs 


We fixed an issue where TA was not able to fetch FIM data because checkpoint date or 
start date is till seconds, whereas FIM supports date in the milliseconds (YYYY-MM- 
DDThh:mm:ss.msZ) format. To fix this issue, we now check the checkpoint or start date 
and add milliseconds to it if the checkpoint date is till seconds. 


Fixed incomplete API response XML file issue for Policy Compliance 
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We fixed an issue where for Policy Compliance module, TA was unable to fetch data for PC 
data input and showed an error message if the PC API returns incomplete data or XML file. 


To fix this issue, now when TA will receive incomplete data or XML file, it will save this file 
as error file and will make the PC API call again to fetch the data from your Qualys 
account. 


Fixed 400 bad request issue for Container Security 


We fixed an issue where due to limitation of elastic search for Container Security data 
input if the page size is not equally divisible 10000 then the CS API was throwing 400 bad 
Request error. We have updated the logic so that elastic search limitation of 10000 is not 
violated when fetching CS data. 


Improvements in 1.8.8 


TA to support date format in milliseconds for FIM data input 


As FIM now supports date in milliseconds format, TA will also accept date format with 
milliseconds to fetch FIM events, ignored events, and incident data. Due to this change, on 
the Data Input page, the start date to pull FIM data should be in UTC in ISO 8601 format: 
“YYYY-MM-DDThh:mm:ss.msZ’. 


If the Start Date field is blank, then we set the default start date to 1999-01-01T00:00:00Z 
and pull the data from this date. But as FIM requires milliseconds in the date format, we 
will now show an invalid date format message if you leave the Start Date empty for any of 
the FIM Qualys Metrics. For FIM Qualys Metrics, you need to manually enter the Start Date 
in UTC in ISO 8601 format: “YYYY-MM-DDThh:mm:ss.msZ’. 


We added this information on the Data Inputs screen (Settings > Data Inputs > Qualys 
Technology Add-On). 


Note that if you are upgrading to TA 1.8.8 and you have already added FIM data inputs, 
then edit the data inputs as per the new date/time format and save it again to let the data 
input run successfully. 


Improvements in 1.8.7 


Updated CS containers and CS images API Version to 1.3 


We updated CS Container and CS Image API version from 1.2 to 1.3 for CS container and 
CS image data inputs. 


From this version onwards, use in the CS API request: 


- SHA value of the image (imageSha) instead of image ID (imageld) to fetch the image 
details 


- SHA value of the container (containerSha) instead of container ID (containerld) to fetch 
the container details. 
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- the pageNumber parameter instead of PageNo parameter to fetch the page with the 
specified number. 


Reset the username and password from the TA setup page 


We made an improvement where earlier if a user with two Qualys API accounts on a 
Qualys platform tried to switch between accounts by changing the Qualys API credentials 
from the TA setup page, then the password.conf file was required to be removed. 


Now, as per the new flow, you do not have to remove the password.conf file while setting 
the Qualys API credentials from the TA setup page. When you enter the username on the 
TA setup page, we check if the username already exists in the password.conf file. If the 
username already exists then we only update the password. 


If the username specified on the TA setup page does not exist in the password.conf file, 
then we fetch the old username from the password.conf file. If the old username is not 
blank in the file, then we delete the old credentials and add the new username and 
password specified on the TA setup page. In the case of a new user, we add the new 
username and password specified on the TA setup page. 


Show Splunk restart message when saving settings on TA setup page first time 


We will now show a message to “restart the Splunk to load all settings” after you save the 
settings on the TA setup page for the first time. Earlier, when the user was saving the TA 
setup form the first time and was not restarting the Splunk, then on the data input and 
event types pages, the TA set up form was shown instead of the respective forms. 


Added DISA STIG SV values to PC Data Input 


Policy Posture API response now has <REFERENCE> tag shown under <GLOSSARY>. We 
will show the value of the <REFERENCE> tag in Splunk when you search Policy Posture 
data using the posture info event. The value for the tag will be blank if the <REFERENCE> 
tag has no value. 


Improvements in 1.8.6 


Change in processing logic of PC data input 


Prior to this release, PC data input was using the “policy_ids” parameter to pull posture 
information. With this release, we will use the “policy_id” instead of the “policy_ids” 
parameter to pull the posture information. As per the new logic, TA will first fetch all the 
policy IDs using the Compliance Policy List API and then for each policy_id, it will fetch the 
posture information using the Compliance Posture Information API. 


As a result of this change, on the TA setup page, we removed the “Number of POLICY IDs 
to use for PC Posture Information (max 10)” option and added the “Number of posture info 
records per API request’ option for PC posture API request. The value in this field will be 
used for the “truncation_limit” parameter of the PC posture API request and define how 
many posture info records will be returned per request. If the requested list identifies 
more records than the truncation limit, then the XML output includes the <WARNING> 
element and the URL for making another request for the next batch of records. 


62 


What's New 


The default value is 1000. If you want to fetch all the posture information in a single 
output then specify 0. Paginated output is recommended if the posture info data is large. 


Change in XML input file parsing logic for performance improvement 


Policy Compliance Settings v 


Note: The PC feed does not pull the SCAP information. 


Log individual PC Compliance Posture events 
Log Policy Summary 


] Log "All" details (when unchecked, logs "Basic" details) 


O Add additional fields (REMEDIATION, RATIONALE, EVIDENCE, CAUSE_OF_FAILURE) 


(Q Enable multi-threading for PC Posture Information download 


Number of threads to use for PC 2 
Posture Information (max 10) 


Number of posture info records 200 
per API request 


Extra parameters for Posture 
Information API 

Note Enter as URL Query (e.g. a=1&b=string) or as JSON (e.g. {"a":1, "b": "string"}). Following parameters are 

NOT allowed: action, output_format, details, status_changes_since, policy_ids, show_remediation_info, 


cause_of_failure, include_dp_name, policy_id, truncation_limit 


We changed the parsing logic for the XML input files to improve the processing time of 
XML files. TA now does not load the full XML input file in the Splunk memory which was 
making the system slow and causing the XML processing to take longer time. To improve 


the performance, TA now parses the XML file line by line or tag by tag. 


Improvements in 1.8.5 


Added three new fields in the VM Detection Setting section on the TA set up page 


We have added three new fields: “Host fields to log”, “Detection fields to log”, and “Max 
characters allowed in RESULTS field” in the VM Detection Settings section on the TA Set up 


page. 


VM Detection Settings Nt 


Host fields to log 


Detection fields to log 


Max characters allowed in 
RESULTS field 


Log Host Summary events 


Log extra statistics in host summary ( Breakdown of Vulnerability Count by (Severity and Type), by (Severity 
and Status) 


Log Individual Host Vulnerabilities 


Log host information with each detection ( e.g. IP, OS, DNS, NetBios) 


ID,IP TRACKING _METHOD,DNS,NETBIOS,OS,LAST_SCAN_DATETIME,TAGS,NETWORK_ID,LAST_VM_SCA 


Enter host XML tag names from API response to be logged in the event by a comma-separated. (e.g. 
ID,IP. TRACKING _METHOD,DNS) 


QID,TYPE,PORT,PROTOCOL,SSL,STATUS,LAST_UPDATE_DATETIME,LAST_FOUND_DATETIME,FIRST_FOl 


Enter detection XML tag names from API response to be logged in the event by a comma-separated. (e.g. 
QID,TYPE,PORT,PROTOCOL) 


O 


Value O means TA won't truncate the RESULTS field. Non zero value means TA will truncate the RESULTS field 
at that length. 


1) “Host fields to log” shows default output values for host assets. You can add additional 
comma-separated host XML tag names such as “Asset_ID” returned in the Host List API 
response that you want to log into the event or remove any existing tag that you don't 


want to log. 
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2) “Detection fields to log” shows default output fields for host detection. You can add 
additional comma-separated detection XML tag names such as 
“AFFECT_EXPLOITABLE_CONFIG” and “AFFECT_RUNNING_KERNEL” returned in the Host 
List Detection response that you want to login the event or remove any existing tag that 
you don't want to log. 


3) Max characters allowed in the RESULTS field lets you specify how many maximum 
characters will appear in the Results field. This means if the number of characters 
exceeds the maximum allowed characters, then TA will truncate the excess characters 
after parsing the RESULTS field and append the message “[TRUNCATED XXX Characters]” 
in the RESULTS field. 


> 2/23/21 HOSTVULN: HOST_ID=346787379, IP="172.16.52.17", TRACKING_METHOD="AGENT", NETWORK_ID="0", OS="Ubuntu Linux 18.04.4", DNS="closempvm. isw5zgahngnetfakcx 
10:59:44.000 AM bprin2he.cx.internal.cloudapp.net", LAST_SCAN_DATETIME="2021-0@2-23T05:29:44Z", LAST_VM_SCANNED_DATE="2021-02-23T04:54:15Z", SEVERITY=2, QID="115968", 
TYPE="INFO", FIRST_FOUND_DATETIME="2020-08-27T17:00:47Z", LAST_FOUND_DATET IME="2021-02-23T04:54:15Z", TIMES_FOUND="1047", IS_DISABLED="0", RESULT_TRU 
NCATED="2", RESULTS="root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-network systemd-resolve 

syslog messagebus _apt lxd uuidd dnsmasq land j 


host = $decideOnStartup source = qualys sourcetype = qualys:hostDetection 


The “RESULT_TRUNCATED” field now shows values based on whether the RESULT field is 
truncated by the TA or Splunk. 


1)RESULT_TRUNCATED is “0” if neither TA nor Splunk truncates the RESULTS field/raw 
event. 


2) RESULT_TRUNCATED value is “1” if the RESULTS field is truncated by Splunk. Note that 
if Splunk truncates the RESULTS field then the message “[TRUNCATED XXX Characters]” 
in the Results field is not shown. 


> 2/26/21 HOSTVULN: HOST_ID=13126853, IP="10.115.108.61", NETWORK_ID="@", OS="Windows 10 Pro 64 bit Edition Version 2004", DN 
2:16:14.000 PM S="eu@2asset1", LAST_SCAN_DATETIME="2021-02-267T08:46:147", LAST_VM_SCANNED_DATE="2021-@2-26108:45:45Z", SEVERITY=3, 
QID="105237", TYPE="INFO", FIRST_FOUND_DATETIME="2020-10-311T20:08:51Z", LAST_FOUND_DATETIME="2021-02-26T08:45:45Z", 
TIMES_FOUND="654", IS_DISABLED="0", |RESULT_TRUNCATED="1", RESULTS="\SAMR S-1-15-3-8 8 access-allowed standard_read 
read_extended_attributes read_data synchronize write_data write_extended_attributes write_attributes read_attribute 
s \SAMR Everyone @ access-allowed standard_read read_extended_attributes read_data synchronize write_data write_ext 
ended_attributes write_attributes read_attributes \SAMR AnonymousLogon 7 access-allowed standard_read read_extended 
_attributes read_data synchronize write_data write_extended_attributes write_attributes read_attributes \SAMR Admin 
istrators 544 access-allowed append_data execute standard_write_dac standard_r 


host = $decideOnStartup source = qualys sourcetype = qualys:hostDetection 


3) RESULT_TRUNCATED value is “2” if the RESULTS field is truncated by TA. Note that if TA 
truncates the RESULTS field then the message “[TRUNCATED XXX Characters]” in the 
Results field is shown. 


Improvements in 1.8.4 


Added option to index the KB data in Splunk 


With this release, we now support indexing of the KnowledgeBase (KB) data in Splunk so 
that the Splunk TA users on the distributed setup environment can get the updated 
KnowledgeBase data on the Search Head from the Heavy Forwarder and generate the KB 
CSV Tile. 
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On the TA setup page, we added a KnowledgeBase Settings section that has a check box 
"Index the KnowledgeBox...". 


Knowledge Base Settings vw 


Log additional fields (SOLUTION, CONSEQUENCE, DIAGNOSIS) 


Index the knowledge base. CSV lookup file will NOT be created. 


The check box indicates whether to index the KnowledgeBase data in Splunk or to write 
the data into a CSV file. When you select the check box and click Save, TA will fetch the KB 
data and index the KB data in Splunk. If the check box is not selected, TA does not index 
the KB data into Splunk and creates a CSV file. 


The CSV file will have KB data from 1999-01-01. 


Files & Directories 
Upload a file, index a local file, or monitor an entire directory 


Qualys Metrics * knowledge_base v 

HTTP Event Collector 
Configure tokens that clients can use to send data over HTTP or Cron entry or 
HTTPS Interval 

This could be a cron format entry OR old style Interval between 
TCP / UDP subsequent runs 
Configure the Splunk platform to listen on a network port r = 

if you upgraded from version 11.0, it is recommended to change 

this to cron format for more control. 
Scripts 
A P = Old style intervals are still suppo ted for backward-compatibility 
Get data from any API, service, or database with a script purpose. Old Form at: *w*d*h*m’*s, where * is any positive number. 


For example: 12h to run after 12 hours since la ast run. You can omit 
the letter if value is O 

Systemd Journald Input for Splunk 

Note - API rate limit according to your API tier will be applicable. 


This is the input that gets data from journald (systemd's logging 
component) into Splunk. 
Start Date 

Qualys Technology Add-On For fim_events, fim_ignored_events, and fim_incidents Qualys 

Add-On for Qualys Metrics - date to start data pull from should be in UTC in ISO 8601 
format: "YYYY-MM-DDThh:mm:ss.msZ”. Ex: 2017-01- 
01T00:00:00.0002 

BR Secure Gateway 

Jl k Srini Sonim Caii io io ia io aiii For sem_detection Qualys Metrics - date to start data pull from 
ee re E E EES should be in UTC in ISO 8601 format: "YYYY-MM-DDThh:mm:ssZ". 


Default value is "2021-01-26 T00:00:007Z". 


clients over websockets 


For other Qualys Metrics - date to start data pull from should be in 
UTC in ISO 8601 format: "YYYY-MM-DDThh:mm:ssZ". Default value 
is "1999-01-01T00:00:002". 


Splunk Secure Gateway Mobile Alerts TTL 
Cleans up storage of old mobile alerts 


— Secure Gateway sise peste Tokens 
Delete expired or invalid tokens created by Secure Gateway from For host_detection, this value refers to the host scanned date. 
For was_ findings, this value refers to the last tested date. 


Splunk 

For cs_image_vulns, this value refers to image scan date 
Splunk Secure Gateway Role Based Notification Manager More settings LJ 
Used for sending mobile alerts to users by role 


On the Settings > Data Inputs > Add Data page for Qualys technology add on, we added 
the information that for knowledge_base “Start Date” field is applicable only if “index the 
knowledge base” is enabled on the TA set up page. 


After you enable the index KB data option, you need to generate KB CSV lookup on the 
Search Head. See KnowledgeBase Settings. 


CS image label Information now available in CS events 


You will now see the CS label information along with the CS image vulnerabilities in CS 
events for images in Splunk. TA uses a new API "/csapi/v1.2/images/<imageld>" to fetch 
the CS label and image vulnerability information. TA uses the label key to fetch the label 
information and the "vulnerabilities" key to fetch the vulnerability information. The image 
vulnerabilities & label information will be available in cs_vuln_info_event event type. 
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The new API does not provide image vulnerability summary information in the response. 
TA generates vulnerability summary information with the help of severity and patch 
availability fields of vuln summary information. All this vulnerability summary 
information will be available in the cs_vuln_summary_event event type. 


Improvements in 1.8.3 


We have fixed these issues in 1.8.3. 
Issues Fixed 


-We fixed an issue where the check box selection values for “log host summary events” 
and “Log Individual Host Vulnerabilities” options in the TA set up > VM Detection settings 
section was read from the app configuration file instead of qualys.conf file. 


- We fixed an issue where TA was logging “VM host summary events for host detection” in 
Splunk even though the user had configured to exclude the VM host summary events on 
the TA setup page. 


- We fixed an issue where WAS summary events weren't fetched for all the threads when 
the WAS data was fetched using multiple threads. Now when the WAS data is fetched in 
the multi-thread mode, TA logs events in Splunk from all the threads. 


- We fixed an issue where TA throws an error and terminates the WAS API call when the 
WAS data input is fetched using multiple threads and the web application IDs are not 
distributed appropriately to each thread. To fix this error, we have changed the logic of 
distribution for web application IDs between the threads so that web application IDs are 
appropriately distributed. 


Improvements in 1.8.2 


Enhancements to VM Detection Event 


With this release, we have moved the Result field in the VM Detection event to the end of 
the event. When the Result field is placed before the other event fields, Splunk, at the time 
of processing the VM Detection event data, truncates all the fields after the Results field if 
the size of the event exceeds the truncation limit. To avoid truncation of fields, we have 
added the Results field at the end of the event. Now only the values in the results field will 
be truncated, 1f the event size exceeds the truncation limit. 
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We have added a RESULT TRUNGATED field before the "Results" field in the event to 
inform you that the event is truncated or not. RESULT_TRUNCATED = 1 means event is 
truncated and RESULT_TRUNCATED = 0 means event is not truncated. You can search for 
truncated and non truncated events using this field. 


Dashboard Hosts IP Lookup Form Knowledgebase Qualys Vulnerability Search Reports v Search for Vulnerabilities Debug 


New Search 
eventtype="qualys_vm_detection_event" 


i Time Event 


f 
> 10/6/20 HOSTVULN: HOST_ID=202346955, IP="172.16.58.133", TRACKING_METHOD="AGENT", NETWORK_ID="0", OS="CentOS Linux 7.8.2003", DNS="qagtest01.p02.sjc01.qualy® 
10:52:19.000 AM EVERITY=4, QID="256941", TYPE="CONFIRMED", SSL="0", STATUS="ACTIVE", FIRST_FOUND_DATETIME="2020-08-25T21 :43:42Z", LAST_FOUND_DATETIME="2020-10-06T05¢ 
f 
0-10-06T05:22:19Z", IS_IGNORED="0", IS_DISABLED="0", RESULT TRUNCATED- "0", ="Package Installed Version Required Version java-1.8.0-openjdk 1.. 


8.x86_64 1.8.0.262.b10-0.e17_8" 


RESULT_TRUNCATED = 0- host = api source = qualys sourcetype = qualys:hostDetection 


TA will also remove the leading and trailing white spaces from the Results field after TA 
fetches VM detection data from your Qualys account using the Host List Detection API. 


Splunk reads the truncate value from the props.conf file in the TA in “global/local” 
directory. If this file is removed from the app “global/local” directory, then TA will read the 
truncate value from the global props.conf file in Splunk. TA never truncates the event 
data while sending it to Splunk. Splunk automatically truncates the event if the size of the 
event exceeds the truncate limit set in the props.conf or global props.conf file. 


Note 


The VM Detection event shows the Results field when show_ results is set to 1 in the 
“Extra Parameters” fields in VM Detection Settings on the TA setup page. If this parameter 
is not set, then none of these changes will have any impact on the VM Detection Event 
data. 


Improvements in 1.8.1 
Cleanup Script to remove API output files for Activity Log 


We added the “Activity Log” data input in the cleanup script to remove the API output files 
from the /tmp directory. 


Issue Fixed 


We fixed the byte string issue for the host detection data pulled in Splunk for versions 
above 8.x.x which uses Python 3 interpreter. 


Improvements in 1.8.0 


Added a new data input - Activity Log 


We added a new data input “Activity Log” to TA to let you pull activity logs from your 
Qualys Account.To access data input page, go to Settings > Data > Data Inputs > Qualys 
Technology Add-On. Click Add and from Qualys Metrics drop-down, select activity_log. 
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What's New 


Page size field added for data inputs 


We added Page size field for these data inputs to let you specify the number of records to 
be fetched in single API call. The default value for page size is 1000 records, but you can 
change the value. 


- Container Security Data Settings for Images 

- Container Security Data Settings for Containers 
- FIM settings for events 

- FIM settings for ignored events 

- FIM settings for incidents 

- Indication of Compromise (IOC) 


Redesigned TA setup form 


We have redesigned TA setup form to make TA 1.8.0 Splunk cloud compatible as per the 
SplunkAppInspect tool suggestion and improve the user experience. 


Administrator v 


TA-QualysCloudPlatform 


Configure This App 


Qualys API Server 


Qualys API Server https://qualysapi.qualys.com 


Note: The url should start with HTTPS. 
Qualys Credentials 


Username 
Password 


Confirm Password 


Note: Leave username/password blank, if you have already set it up. 


Client Certificate ~~ 


O Use a Client certificate for authentication 


Path to client CA certificate 
Path to client CA certificate key 


Passphrase for client CA 
certificate 


Confirm Passphrase 


API Timeout Settings > 


VM Detection Settings > 


Issues Fixed 
We have fixed the proxy server validation issue in this release. 


You can now update Qualys's password in the TA setup form without removing the 
password.conf file & restarting Splunk. 


We now log the error in TA log if the CRON format of data input is invalid. 
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Improvements in 1.7.1 


We made these improvements in 1.7.1 


- TA is now compatible with both Python v2.7 and v3.7. See How to switch python 
interpreter for Python3? 


- Container Security APIs now support the API gateway. Private cloud provider can use the 
gateway URL to connect to and fetch CS data from Qualys Cloud platform. 


TA v1.7.1 no longer supports macro definition for indexes 


Due to a known issue with Splunk, the user was getting a 255 error on the distributed 
Search Head setup. We have used macros for the ease of handling indexes and event 


types. 


But in case of the distributed setup, macros definition was not getting expanded and as a 
result, the user was getting error on dashboard or while searching with event types. 


To resolve this issue, the Splunk team has suggested not to use macros till further notice 
from them. See How to assign a custom index to an event type? 


Improvements in 1.6.7 


Policy Compliance data to show additional fields 


You can now view REMEDIATION, RATIONALE, EVIDENCE and CAUSE_OF_FAILURE 
information in the compliance posture data for your policy. 


Events (1) Patterns Statistics 
Format Timeline + —Zoom Out 1 millisecond per column 
List + # Format 
< Hide Fields = All Fields i Time Event 
> 1/9/18 POSTURE_INFO: POLICY_ID="844587", HOST_ID="155481117", HOST. ="64.41.200.243", HOST_DNS="demo13.s02.sjc01.qualys.com", 
SELECTED FIELDS - 
2:18:22.000 PM ration) rd never expires' ITY 
a host 1 ' 
ation 
ource 1 
snes the d 
a sourcetype 1 B: 
rds E Es 
INTERESTING FIELDS A 
CONTROL ID ac E_MODIFIED_DATE="2 :2 p” y pa new , edit th le '/ logi 
#C LID 1 
1. : PASS_MAX_DAYS [DAYS] The DoD requirement is 60.", CAUSE OF FAILURE MISSING="1-365", CAUSE_OF_FAILURE_MISSING_LOGIC="0R", CAUSE_OF 
ndex 1 
eens 1 idefs-max-password-days", “Expected Value(s) - 1-365 | Current Values(s) - 99999 == lastUpdated:2019-06-12T04:21:45Z", EVIDENCE_ 
linecount 1 = | i 
CURRENT_VALUE="° 
plunk_ser 1 


host = qualys-virtual-machine source = qualys sourcetype = qualys:pc:posturelnfo 


To pull this data in Splunk, go to the TA setup page and in the “Policy Compliance Settings” 
section, select the “Add additional fields (REMEDIATION, RATIONALE, EVIDENCE, 
CAUSE OF _FAILURE) check box. 


Policy Compliance Settings 


Note: The PC feed does not pull the SCAP information 
#| Log individual PC Compliance Posture events 
¥) Log Policy Summary 


#| Log "All" details (when unchecked, logs "Basic" details) 


Enable multi-threading for PC Posture Information download 


Number of threads to use for PC 2 
Posture Information (max 10) 
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Issues Fixed 


We fixed an issue where last evaluated date was not shown as the event date for the 
policy. Now if the policy has last evaluated date then we will show this date as the event 
date. 


Event 


POLICY_INFO: POLICY_ID="845427", 


AST_EVALUATED_DA 55:18Z") LAST_MODIFIED_DATETIME= 
-11T07:55:462", CREATED_BY="quays_rc70", STATUS="active", IS_LOCKED="0" 


SELECTED FIELDS 


a host 1 


a source 1 host = qualys-virtual-machine source = qualys sourcetype = qualys:pc:policyinfo 


Improvements in 1.6.6 


TA to use “updated” dateTime to download Container and Images data in Splunk 


The new version of Container Security API uses a new parameter: “updated” to address the 
issue with mismatch count between Qualys UI and Splunk. 


In TA 1.6.6, we now use the new parameter “updated” instead of “created” to ensure that 
all the Container and Images that were updated in particular duration gets synced in 
Splunk. 


Improvised Logging 


We have now improvised logging to print exception messages and avoid logging empty 
messages. 


Masked Passwords 


Previously, the password was in plain text. But, we now mask passwords in proxy 
authentication. 


Improved parsing for Host Detection RESULTS 


We have improvised Host Detection RESULTS section to address the issue of parsing 
RESULTS in upper case. 


Retry Interval 


We have introduced a new configuration ‘retry_interval_seconds' to retry same API 
request after configured interval, in case any error occurs while calling APIs. 


Steps to configure ‘retry_interval_seconds': 

-edit qualys.conf file from below location: 

<Splunk Home>/etc/apps/TA-QualysCloudPlatform/local/qualys.conf 
-add below line to qualys.conf file 


retry interval seconds =<time in seconds> 
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Improvements in 1.6.5 


TA to use “processedTime” for downloading FIM Data in Splunk 
The new version 2.0.2.0 of FIM API has a new parameter “processedTime’” to address the 
time lag issues with uploading the events on the Qualys portal by FIM agents. 


In TA 1.6.5, we now use the new parameter “processedTime’ instead of “dateTime’ to 
ensure that all the FIM events that are generated in a particular duration are pulled in 
Splunk. 


Due to this change, TA 1.6.5 will work only with FIM API version 2.0.2.0 and later and not 
with versions earlier than 2.0.2.0. 


Improvements in 1.6.4 


KnowledgeBase data to show BUGTRAQ_ID field 

In Splunk, we will now show a new field "BUGTRAQ ID" in KnowledgeBase data that is 
pulled from Qualys. This information is shown for QIDs that has BUGTRAQ ID’ available. 
FIM events to show event generated time in search results 


When you search for FIM events in Splunk, the Time column in search results will now 
show you the time when the FIM event occurred as reported in your Qualys account. 
Earlier the time shown was the time when the event is pulled in Splunk. 


New Search 


Class: UISK 
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Improvements in 1.6.3 


Error on saving proxy server credentials 


Fixed an issue where the TA user was getting an error when saving proxy server 
credentials required for authentication to the proxy server on the Qualys App set up page. 
Now the credential details are getting saved. 


KnowledgeBase Data not populating in the solution section of the KB lookup file 


We fixed an issue where the solution section in the KB lookup file (qualys_kb.csv) was not 
getting populated due to a failure in parsing of KnowledgeBase data. The parsing error 
occurred because the parameters "“Threat_INTEL_IDs" and “Threat_INTEL_VALUES" were 
not found in the KB lookup file. We have added these two parameters in the KB lookup file. 


Handle XML parsing error for WAS data 


We fixed an issue where TA used to parse the WAS XML response file that had XML 
parsing errors. Now when TA will receive WAS data that contains parsing errors, it will not 
parse the file and request Qualys API server to resend the response file. TA will keep on 
requesting the WAS data from API server till it receives the data contains no parsing 
errors. 


Certificate authentication failure when connecting to Qualys API server 


We fixed an issue where authentication to the Qulays API server was getting failed when 
the user tried to connect to the API server via the proxy server using the certificate. 


New Enhancements in 1.6.2 


We have made the following enhancements in 1.6.2 release. TA can now: 


- Pull EC2 metadata in host detection events using the extra parameter. For example, 


host_metadata_fields":"region,accountId,instanceld"}. 


"host_metadata": "ec2", 
- Pull “cwe” information in Qualys WAS events. 


- Retry the request that failed due to corrupted response XML. 


New Features in 1.6.1 


You can now configure Qualys App for Splunk Enterprise to pull IOCevents data in Splunk 
from your Qualys account. We added a new Qualys metric (data input feed) “loc_events” 
that you need to configure and enable for pulling the IOC events from your Qualys 
account. A new event type “loc_info_event” is added for searching pulled IOC events in 
Splunk. 


Indication of Compromise Settings 


Extra parameters to pass to (type:tile AND indicatorscore=0) OR (type:process AND action:running) 

Indication of Compromise API. = = | : = aT f = 

= p Enter as Elastic Search Query (e.g. a1 or b.c:string OR a:1 and b.c:string). Following parameters are NOT 
allowed: pageNumber, pagesize, datelime, tromDate, toDate 
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You can now preserve API output files in Splunk using the “Enable to preserve the 
XML/JSON files of API output” option. This option is available on the Qualys app setup 
page. By default, this check box will not be selected. 


Preserve API Output 


+| Enable to preserve the XML/JSON files of API output 


Added FIM Dashboard 


We have also added a FIM dashboard to give you a graphical analysis of your FIM data 
pulled from your Qualys Account. You will see graphical data for total number changes, 
events by severity, file and directory changes by change action, and top changes by OS, 
user and process. 


Multithreading not supported for FIM 


We removed multithreading support for FIM as the new APIs (FIM API Version 2.0) do not 
support multithreading. 


New Feature in 1.5.0 


Qualys App for Splunk Enterprise can now pull FIM data for events, ignored events and 
incidents from your Qualys Account. On the TA set up page, you will now see 3 new 
sections: FIM Settings for Events, Ignored Events and Incidents. Specify configuration 
settings in these sections for collecting FIM data. Next, enable the FIM data feeds to pull 
the FIM data based on the configuration settings provided on the TA set up page. 


FIM Settings for Events 


Enable multi-threading to download FIM Events 


Number of threads to use for FIM 2 
Events feed (max 10) 


Extra filters for AM Events API 


Enter as Elastic Search Query (e.g. a1 or b.cstring OR ai and b.cstring). Following parameters are NOT allowed: pageNumber, pageSize, dateTime 
FIM Settings for Ignored Events 


Enable multi-threading to download FIM Ignored Events 


Number of threads to use for FIM 2 
Ignored Events feed (max 10) 
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New Features and Fixed Issues in 1.4.1 


View Qualys Real-time Threat Indicators (RTIs) for vulnerabilities 


We are now sending the Qualys Real-time Threat Indicators (RTIs) data in the data input 
for the Knowledge_base metric. Only, the user account with Threat Protection 

subscription can view this information for vulnerabilities found in the host based scans. 
You can set up your dashboard to monitor vulnerabilities for various threat level values. 


The sample search shows vulnerabilites for which threat value is High_Data_Loss. 


eventtype=qualys_vm_detection_event | dedup 1 HOST_ID, QID | lookup qualys_kb_lookup 
QID OUTPUT THREAT_INTEL_VALUES | search 
THREAT_INTEL_VALUES="High_Data_Loss™ | table HOST_ID, LAST_SCAN_DATETIME, 
QID, THREAT_INTEL_VALUES 


App: Qualys VM App for Splunk Enterprise v 


IP Lookup Form Knowledgebase Qualys Vulnerability Search Reports v Search for Vulnerabilities Debug 


eventtype=qualys_vm_detection_event | dedup 1 HOST_ID, QID | lookup qualys_kb_lookup QID OUTPUT THREAT_INTEL_VALUES | search THREAT_INTEL_VALUES="*High_Data_Loss*" | table HOST_ID, LAST_SCAN_DATETIME, QID, THREAT_INTEL_VALUES 
Z 3,833 events (3/9/19 12:00:00.000 AM to 4/8/19 12:23:04.000 PM) No Event Sampling ¥ Job + 
Events Patterns Statistics (3,833) sualization 
20 Per Page ¥ # Format Preview ¥ 2 3 
HOSTLID> 7 LAST_SCAN_DATETIME + # + # THREAT_INTEL_VALUES + 
43225296 2019-04-03T08: 44: 55Z 16143 igh_Lateral_Movement, Easy_Exploit, High_Data_Loss, Denial_of_Service 
43225296 2019-04-03T08: 44:55Z 16125 Exploit_Public, High_Lateral_Movement, 


43225296 2019-04-03T08: 44: 55Z 16087 Zero_Day, Exploit_Public, High_Lateral_Movement, 


Support for arf_kernel filters parameter for VM host detection 


We now support “arf_kernel filters” parameter to identify vulnerabilities found on running 
or non-running Linux kernels.. You can update the optional parameter to include the 
arf_kernel parameter in VM Detection Settings on the TA setup page. 


Set show_results=1 to view TCP/UDP port information 


We have fixed an issue where the user was unable to view the open TCP/UDP ports 
information in the HOSTSYMMARY events. To view the information, update optional 
parameters in VM Detection Settings on the TA setup page to include “show_results=1". 


Newline character removed from the port data in vulnerability data feed 


We have fixed an issue where whitespace and newline characters in the port data in the 
Results tag in the vulnerability data feed fetched from the Qualys Server were introducing 
new events when imported in Splunk. Now, we have fixed this issue by removing these 
characters from the vulnerability data feed before importing it in Splunk. 


Enable CVSS scoring in your account to view CVSS scores for vulnerabilities 


We have fixed an issue where Splunk was showing an error for missing CVSS data when 
importing KnowledgeBase API response in Splunk TA. This issue was occurring for the 
user accounts that have CVSS Scoring not enabled for their subscriptions. As a result, the 
KnowledgeBase API response does not have CVSS data for vulnerabilities. To Enable CVSS 
Scoring in your Qualys account, go to "Reports > Setup > CVSS > Enable CVSS" and click 
"save". 
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Now, Splunk does not show missing CVSS data error if you do not enable CVSS scoring for 
your subscription. In this case, Splunk will show no CVSS metrics scores for vulnerabilities 
in the Splunk KnowledgeBase. 


New Feature in 1.4.0 


TA now supports ingesting Container Security data 


Qualys App for Splunk Enterprise can now pull vulnerability information for docker image 
and container in Container Security from your Qualys account. TA pulls CS data based on 
the configuration information you have provided in the Container Security Settings for 
Images and Containers. CS data is in JSON format. 


New Feature in 1.3.4 


New information added in HOSTSUMMARY and HOSTVULN events 


Added NETWORK_ID, LAST VM SCANNED DATE and LAST_VM_SCANNED DURATION 
information in HOSTSUMMARY. 


HOSTSUMMARY: HOST_ID=227520646, IP="104.154.89.105", TRACKING_METHOD="IP", NETWORK_ID="0", 
DNS="105.89.154.104.bc.googleusercontent.com", LAST_SCAN_DATETIME="201 8-@9-181T12:06:352", 
LAST_VM_SCANNED_DATE="2018-@69-181T11:59:4427", LAST_VM_SCANNED_DURATION="371", SEVERITY_1=5, 
SEVERITY_2=3, INFO=5, CONFIRMED=3, POTENTIAL=G, NEW =0, ACTIVE=3, FIXED=@, RE-OPENED=@, -_SEVERITY_1=5, 
ACTIVE_SEVERITY_2=3, INFO_SEVERITY_1=5, CONFIRMED_SEVERITY_2=3, TOTAL_VULNS=8 


Added LAST_FIXED_DATETIME, TIMES_FOUND, IS_IGNORED, IS_DISABLED information in 
HOSTVULN. 


HOSTVULN: HOST_ID=190339328, IP="172.16.5.4", TRACKING _METHOD="AGENT", NETWORK_ID="@", 
OS="Ubuntu Linux 14.04.5", DNS="wordpress", LAST_SCAN_DATETIME="2018-09-19T@ 
2:47:26Z", LAST_VM_SCANNED_DATE="2018-09-19102:43:342", SEVERITY=3, QID="370845", 
TYPE="POTENTIAL", SSL="@", STATUS="FIXED", FIRST_FOUND_DATETIME=" 201 8-@4-10T23: 36 
7562", LAST_FOUND_DATETIME="2018-67-091T17:36:542", TIMES_FOUND="438", LAST_TEST_ 
DATETIME="2018-@9-197T02:43:342", LAST_UPDATE_DATETIME="2018-09-197T02: 47: 262", LAST_ 
FIXED_DATETIME="2018-07-09723:15:127", IS_TGNORED="0", IS_DISABLED="0" 


New Features in 1.3.3 


New Basic option for fetching policy posture compliance data 


You can now specify to Posture API to fetch only basic details of the policy posture 
compliance data for policy IDs. This option is for policy IDs with large posture compliance 
data. Keep the “Log All details (when unchecked, logs “Basic” details)” check box 
deselected in the Policy Compliance Settings for the API to get basic details. 


Configure total number of policy IDs to be fetched 


You can now configure in the Policy Compliance Settings the total number of policy IDs to 
be fetched by the Posture API. The valid number range is 1 to 10. Set this value low for 
policy IDs with large policy posture compliance data. 
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New Features in 1.3.1 


Introducing new data input for Policy Compliance 


TA is now able to pull and ingest Policy Compliance posture information! The TA Setup 
page includes new Policy Compliance configuration settings. The extra parameters option 
accepts API parameters for Posture Information API (/api/2.0/fo/compliance/posture/info/ 
with action=list). When pulling policies information, Posture API parameter policy_ids 
becomes the parameter ids for Policy detail API call. 


Support for using client certificates to call API 


Now you can specify a client certificate in TA so that TA uses it while making API calls. A 
new section has been added to the TA setup page for this. 


New utility script to clean up left-over XML and PID files 


This new script is useful for cleaning up orphan XML files in the TA-DIR/tmp directory. 
While running the utility, you can provide command line options to specify data inputs for 
the XML files to be cleaned up. The utility will delete all the XML files for the chosen data 
inputs, except those belonging to currently running TA processes. 


Additional Improvements 1.3.1 


Update to Host List Detection API 


You'll now see the parameter vm_processed_after in TA logs. With Qualys 8.9, we 1) 
changed the way we report host scan time so it’s based on when a scan finished, not when 
the scan started. 2) Introduced new parameters to filter the Host List VM Detection API by 
scan end dates and processed dates. The vm_processed_after parameter is used to filter 
the list to only show hosts with vulnerability scan results processed after a certain date 
and time. 


Setup page save fails if there are any validation errors 


TA will try to validate inputs given on the TA setup page. If validation fails, it will NOT save 
any details, but raise a ValueError. This results in a generic error message in the Splunk UT. 
You can see a more detailed error message given by TA in splunkd.log. 


When installed on Search Head, do not run data inputs other than knowledge base 


Checks were added to the code (with help from the Splunk team) to ensure that TA will 
only run the knowledgebase data input when TA is installed on a Search Head, even when 
other data inputs have been added and enabled. In other words, TA will not run host 
detection, WAS findings and PC posture information data inputs when installed on Search 
Head. 


Log error messages given by Qualys API 


If the Qualys API responds back with an error (in response body), TA will now log the error 
message in the TA log for troubleshooting. This way you ll know if there s an API reason for 
not getting data (e.g. Rate Limit exceeded). 


76 


What's New 


PID repeat issue resolved 


TA writes PID in .pid file for every input run . This file is deleted at the end of the run. TA 
uses this pid file to check if any process with the PID is running. If it finds any such 
process, TA will check if the process 1s running qualys.py then only will it terminate itself, 
else TA will run the qualys.py script for the scheduled input. 


Configurable API Timeout period 


By default, the API timeout period is 300 seconds. If this value is not adequate you can set 
a different timeout value on the TA setup page. 


Display API parameters not allowed by TA 


To avoid operational problems, API parameters that are not allowed by TA are now clearly 
listed for each Extra API parameter field on the TA setup page. 


Log the index name being used in each run 


To help with troubleshooting, TA will now log the name of the index where data from each 
run will go into. This 1s the same index name as selected by the user while 
adding/updating the data input. 


Display data input name in each log entry 


There are some common execution paths for all data inputs in TA, and they write some 
log entries. When multiple data inputs are running at the same time, it becomes hard to 
identify which log entry was written for which data input. To fix this, TA will have a 
mention of data input it is running for in each log entry it writes. This way, one can grep 
all the log entries belonging to a particular data input. This would be useful if you are 
troubleshooting subsequent runs of the same data input. 


Avoid unnecessary call to msp/about.php each time Splunk invokes modular input 


Splunk invokes TA’s entry point script every 60 seconds. On each invocation, the code 
checks for the Qualys version by making a msp/about.php API call. This call was being 
made irrespective of whether the current time matched the configured cron/time interval. 
To avoid unnecessary calls, TA will first check if now is the time for any input to run. If 
yes, the API call is made. If no, the API call is not made. 


FF 


